[Federal Register Volume 83, Number 79 (Tuesday, April 24, 2018)]
[Notices]
[Pages 17807-17808]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-08554]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
[Docket DARS-2018-0023]
DoD Guidance for Reviewing System Security Plans and the NIST SP
800-171 Security Requirements Not Yet Implemented
AGENCY: Department of Defense (DoD).
ACTION: Notice and request for comment.
-----------------------------------------------------------------------
SUMMARY: DoD has drafted guidance for procurements requiring
implementation of National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171, Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations, and is making the
draft guidance available to the public.
DATES: Comments are due by May 31, 2018.
ADDRESSES: You may submit comments, identified by docket DARS-2018-
0023, by any of the following methods:
[cir] Federal eRulemaking Portal: http://www.regulations.gov.
Search for ``DARS-2018-0023.'' Select ``Comment Now'' and follow the
instructions provided to submit a comment. Please include ``DARS-2018-
0023'' on any attached documents.
[cir] Mail: Defense Procurement and Acquisition Policy, Attn: Ms.
Mary Thomas, OUSD(A&S) DPAP/PDI, Room 3C958, 3060 Defense Pentagon,
Washington, DC 20301-3060.
FOR FURTHER INFORMATION CONTACT: Ms. Mary Thomas, DPAP/PDI, at
[email protected] or by mail at: Defense Procurement and
Acquisition Policy, Attn: Ms. Mary Thomas, OUSD(A&S) DPAP/PDI, Room
3C958, 3060 Defense Pentagon, Washington, DC 20301-3060.
SUPPLEMENTARY INFORMATION:
The Defense Federal Acquisition Regulation Supplement clause
252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting, requires contractors to provide ``adequate
security'' for ``covered defense information'' that is processed,
stored, or transmitted on the contractor's internal information system
or network. To provide adequate security, the contractor must, at a
minimum, implement NIST SP 800-171, ``Protecting Controlled
Unclassified Information in Nonfederal Systems and Organizations.''
NIST SP 800-171 states that in order to demonstrate implementation or
planned implementation of the security requirements in NIST SP 800-171,
nonfederal organizations should describe in a System Security Plan how
the specified security requirements are met, or how organizations plan
to meet the requirements, and should develop plans of action that
describe how any unimplemented security requirements will be met and
how any planned mitigations will be implemented. NIST SP 800-171
further states that, when requested, the System Security Plan and any
associated Plans of Action for any planned implementations or
mitigations should be submitted to the responsible Federal agency/
contracting officer to demonstrate the nonfederal organization's
implementation or planned implementation of the security requirements.
DoD developed the document ``DoD Guidance for Reviewing System
Security Plans and the NIST SP 800-171 Security Requirements Not Yet
Implemented'' to facilitate the consistent review and understanding of
System Security Plans and Plans of Action, the impact that NIST SP 800-
171 Security Requirements that are ``not yet implemented'' have on an
information system, and to assist in prioritizing the implementation of
security requirements not yet implemented. The document ``Assessing the
State of a Contractor's Internal Information System in a Procurement
Action'' illustrates how ``DoD Guidance for Reviewing System Security
Plans and the NIST SP 800-171 Security Requirements Not Yet
Implemented'' may be used during a procurement for which DoD must
assess the state of a contractor's internal information system.
``DoD Guidance for Reviewing System Security Plans and the NIST SP
800-171 Security Requirements Not Yet Implemented'' provides a ``DoD
Value'' to assess the risk that a security requirement left
unimplemented has on an information system, to assess the risk of a
security requirement with an identified deficiency, and to address the
priority for which an unimplemented requirement should be implemented.
The guidance also addresses the method(s) to implement the security
requirements, and, when applicable, provides clarifying information for
security requirements that are frequently misunderstood.
The matrix ``Assessing the State of a Contractor's Internal
Information System in a Procurement Action'' is provided to illustrate
how DoD may choose to assess submitted System Security Plans and Plans
of Action in procurement actions that require the implementation of
NIST SP 800-171.
[[Page 17808]]
To access the documents entitled ``DoD Guidance for Reviewing
System Security Plans and the NIST SP 800-171 Security Requirements Not
Yet Implemented'' and ``Assessing the State of a Contractor's Internal
Information System in a Procurement Action,'' go to the Federal
eRulemaking Portal at www.regulations.gov, search for the docket
``DARS-2018-0023'' click ``Open Docket,'' and view ``Supporting
Documents.''
Jennifer Lee Hawes,
Regulatory Control Officer, Defense Acquisition Regulations System.
[FR Doc. 2018-08554 Filed 4-23-18; 8:45 am]
BILLING CODE 5001-06-P