NIST 800-171 revision 3 was released on May 14, 2024, prompting DoD to issue an indefinite class deviation for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). US Defense Industrial Base (DIB) contractors must now comply with NIST SP 800-171 revision 2 rather than the version in effect at the time the solicitation is issued, as was previously required.
To provide you with the most accurate and insightful information, I recently had the privilege of interviewing Robert Metzger, the head of Rogers Joseph O’Donnell’s DC office and chair of the firm’s Cybersecurity and Privacy practice, about the impact of the DFARS clause 7012 Class Deviation and NIST 800-171 Rev. 3 on DIBs and defense contractors.
Why was the DFARS 7012 class deviation issued?
Metzger: I’ve expected the issuance of the Class Deviation for over a year. It was never practical or achievable to insist upon “immediate” implementation of NIST 800-171 Rev. 3 by companies who received a solicitation after the effective day of the NIST revision. Now that Rev. 3 has been published, several other areas need to be revised, including the training, eligibility, and assessor accreditation facets of the AB. The DoD will need to revise the DoD Assessment Methodology. We can also expect that the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and other DoD elements will require updating of their policies, processes, instructions, documentation, and training.
What does this change mean for DFARS and CMMC compliance requirements?
Metzger: Both DFARS and CMMC will continue to follow NIST 800-171 Rev. 2 as the baseline which applies. While Rev. 3 includes stricter CUI controls, some new areas of requirements, and additional “determination statements”, none of these detract from the value, or presently operative requirement, to implement security measures that satisfy DFARS 7012 and the baseline security requirements as stated in SP 800-171 Rev. 2.
The Class Deviation is not a postponement of or other relief from these obligations. Defense contractors should continue their preparations to meet both DFARS and CMMC obligations for the protection of CUI and other sensitive data in accordance with NIST SP 800-171 revision 2.
What are the current CUI safeguarding requirements of DFARS 7012?
Metzger: The basic safeguarding requirements of the DFARS 7012 clause have been imposed on companies with this clause in their contract and who process, transmit or host CUI since December 31, 2017. The DFARS 7012 clause requires “adequate security” to protect CUI. This is determined by referencing the 110 requirements of SP 800 1710 Rev 2. Generally, companies with the DFARS 7012 clause are expected to protect CUI. This implies at least reasonable efforts to identify CUI in their possession. Wherever CUI is present, which incorporates DoD-applied restrictive markings or CUI legends, it must be protected.
Nothing has relieved DIB companies of these security obligations, assuming that such companies have the clause in a prime or flow-down contract and have CUI. Nothing has abated or eliminated the specific cyber measures of SP 800-171 Rev. 2. Delay in adherence means an extension in non-compliance with explicit contract requirements. Non-compliance, where known and extended over time, carries with it some risk of contractual measures or other DoD sanctions and may affect eligibility for DoD contracts as well as suitability for DoD primes who increasingly seek confidence that their suppliers are compliant with the -7012 DFARS clause and SP 800-171 Rev. 2.
Do DIBs need to worry about NIST SP 800-171 Rev. 3?
Metzger: Defense contractors should familiarize themselves with NIST SP 800-171 Rev. 3, which the DoD has indicated will eventually be incorporated into both regulations. We can expect that DoD will transition to Rev. 3 when the various affected elements are ready. There also is potential security gain in early adoption of Rev. 3 measures, but the compliance obligations that govern today are expressed by the -7012 clause and Rev. 2. While CMMC requirements for mandatory assessments likely will become operative early in 2025, it may not be for several years (from today) before Rev. 3 will be required. DoD will work out the transition plan and will inform the industry well in advance of when there is a switchover to Rev. 3.
Discover Effective Strategies for Safeguarding CUI
archTIS provides comprehensive defense information protection solutions. Discover our dynamic CUI labeling, marking and advanced protection offerings to fulfill DFARS, CMMC, and NIST compliance requirements in Microsoft applications. Learn more.
About Robert Metzger
Robert Metzger is the Head of the D.C. Office at Rogers Joseph O’Donnell, PC, a boutique law firm specializing in government contracts, and chair the Cybersecurity and Privacy practice group of the firm. He advises leading companies on complex and high stakes matters involving cyber and supply chain security, cloud computing and managed services, data breach, rulemaking and regulation, compliance, and acquisition issues.
He has been recognized as a thought leader on cybersecurity and government contracts. In 2024, Metzger was honored in Lawdragon’s inaugural 500 Leading Global Cyber Lawyers guide and was named a “Top Voice” by LinkedIn.
Chambers USA has recognized RJO’s high-profile work, and it is the only boutique firm ranked in its exclusive Government Contracts: The Elite (USA – Nationwide) list. His work has garnered Band 1 recognition from Chambers in USA Government Contracts: Cybersecurity (USA — Nationwide), the highest Chambers ranking an attorney can receive. He has also been ranked for Government Contracts (USA – Nationwide) for 13 consecutive years.