Alert
Alert
05.16.18
Department of Defense (DoD) cybersecurity requirements, referred to as Safeguarding Covered Defense Information and Cyber Incident Reporting went into effect at the start of the year, and have been met with an array of questions from contractors eager to comply, but unsure of the exact standards they are expected to meet. A long list of Frequently Asked Questions (FAQs) issued by DoD on April 2, 2018, has provided some clarity. However, significant areas of ambiguity remain, and language concerning a Contractor’s compliance with the new contract clause is finding its way into new contract solicitations. DoD has proposed guidance to answers some of those questions, and contractors will have until the end of May to provide feedback to the Government on how helpful—or unhelpful—the guidance is.
One of the key features of the new guidance is that it anticipates review of a contractor’s System Security Plan (SSP) in evaluations for upcoming solicitations—either as a ranked and scored evaluation factor or as a go/no-go factor that may result in the exclusion of proposals.
The guidance provides different scenarios illustrating different ways in which an offeror’s compliance with the NIST standards are considered in a source selection. The first scenario is where the clause is included in the contract, but not evaluated at time of award. Essentially, offerors ‘self-attest’ to their compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171 and these cybersecurity requirements have no bearing on contract award or performance. As a subset to this scenario, DoD could assess/track implementation of NIST SP 800-171 security requirements after contract award by including cybersecurity language in the statement of work and/or as data requirements in the Contract Data Requirements List (CDRL). Such a requirement would indicate that DoD will track implementation of the SSP plans of action.
In the next scenario, a DoD contracting office could evaluate an offeror’s compliance with the cybersecurity requirements in NIST SP 800-171 as part of the source selection. In such a case, DoD could make an acceptable/unacceptable decision based on the implementation status of the NIST 800-171 requirements. DoD would require, in the RFP (e.g., in Section L), that contractors deliver their SSP (or specified elements thereof) with their technical proposal. Additionally, the RFP (e.g., in Section M) would need to identify the criteria for an “Acceptable” rating for the SSP. The question remains whether DoD procurement officials are currently knowledgeable or have been trained to make such determinations.
As an alternative, DoD acquisition evaluators could assess an offeror’s implementation of its SSP as a separate technical evaluation factor. In this case, the RFP (e.g., in Section M) must identify how the offeror’s SSP’s implementation of NIST SP 800-171 will be evaluated. Evaluation could consist of one or both of the following: (1) an assessment of the contractor’s SSP as a stand-alone document; or (2) an independent government assessment to validate implementation of each separate requirement of the SSP utilizing the evaluation tools outlined in Draft NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Conducting this highly technical assessment will be beyond the current abilities and skill sets of most DoD acquisition evaluators.
We anticipate that the lack of clarity on the requirements themselves, combined with the assessment of these criteria by non-IT proficient government acquisition evaluators, may result in additional protests. An “acceptable/non-acceptable” determination may not result in large numbers of bidders being excluded from ongoing procurements. However, quantifiable scoring of a bidder’s SSP by government procurement personnel is almost certain to end up with subjective and potentially arbitrary rankings, which will almost surely increase the number of protests relating to this issue. Increased questions and answers, and pre-award protests, will likely occur as bidders seek clarity on these requirements, which may in turn lead to increased acquisition cycle times while Government and industry continue to refine the implementation of these requirements as part of a solicitation’s evaluation factors.
If you have any questions about the content of this Alert, please contact the authors, or the Pillsbury attorney with whom you regularly work.