The FISMA Focus IPD

On September 21, 2017, the Director of the Defense Pricing/Defense Procurement and Acquisition Policy (DPAP) issued guidance to Department of Defense (DoD) acquisition personnel in anticipation of the December 31, 2017 date for contractors to implement the security controls of NIST Special Publication (SP) 800-171. The guidance outlines (i) ways in which a contractor may use a System Security Plan (SSP) to document implementation of NIST SP 800-171; and (ii) provides examples of how DoD organizations could leverage a contractor’s SSP and related Plan of Action and Milestones (POA&M) in the contract formation, administration, and source selection processes.

Covered Defense Information (CDI) – The guidance states that DoD “must mark, or otherwise identify in the contract, any covered defense information that is provided to the contractor, and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in performance of the contract.” Although the requirement for DoD to mark data provided to the contractor during performance is clear, the guidance is less clear as to information developed in performance of the contract. In particular, noting a “requirement for the contractor to mark” information developed during performance, without specifying which information needs to be marked (i.e., specifying a particular CDRL) presents a compliance challenge and increases the opportunity for miscommunications between DoD and its contractors. The Department’s slides and statements at the June 2017 Industry Day were more explicit, noting that the Department must “[d]ocument in the contract (e.g., Statement of Work, CDRLs) information, including covered defense information, that is required to be developed for performance of the contract, and specify requirements for the contractor to mark, as appropriate, information to be delivered to DoD. (see, e.g., MIL-Handbook 245D, and Contract Data Requirements List (CDRL) (DD Form 1423)).” See Cybersecurity Challenges, Protecting DoD’s Unclassified Information, June 23, 2017 Industry Day at Slide 27. Contractors may see additional clarification of this point in the Frequently Asked Questions that DoD is expected to issue soon. Otherwise, contracting personnel may take a narrow view of their responsibilities to identify CDI that will be developed during performance.