On May 2, the Department of Defense (DOD) issued a class deviation to DFARS 252.204-7012 “to provide industry time for a more deliberate transition upon the forthcoming release of [National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 3].”

Slated to be finalized later this month, NIST SP 800-171, Revision 3 is a set of updated guidelines intended to help contractors handle confidential unclassified information (CUI) residing on non-federal systems and is part of a broader effort to clarify requirements, strengthen cybersecurity defenses, and increase flexibility for contractors who are developing and implementing cybersecurity programs.

NIST released its initial public draft on May 10, 2023, signaling to contractors the specific areas of focus and outlining what the final standards will require. The public draft worked to remove outdated cybersecurity standards to better reflect current best practices; introduced “organization-defined parameters” to be used to specify certain parameters rather than strict requirements to allow contractors more flexibility and creativity when implementing their cybersecurity approaches; aligned security requirements with updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline; created a prototype CUI overlay; and provided additional resources to help organizations mitigate risks. We wrote about the initial public draft in more detail here.

Currently, DFARS 252.204-7012 does not specify which NIST SP 800-171 revision is applicable, and the DOD has interpreted that ambiguity to suggest that compliance with the most recent version is required. With NIST SP 800-171, Revision 3 is set to be finalized this month, and upcoming compliance requirements are set to be confusing. However, the deviation clarifies that contractors subject to the clause must comply with NIST SP 800-171, Revision 2, delaying the incorporation of NIST SP 800-171, Revision 3.

DOD is now directing contracting officers to use the deviation instead of the standard 252.204-7012 clause. Contractors awarded new contracts should ensure their contracts incorporate the deviation rather than the standard 252.204-7012 clause.

If you have any questions about the deviation or NIST SP 800-171, Revision 3 more broadly, please contact the author.