What Now for DoD’s NIST 800-171 Rev3 Class Deviation?

Bottom Line Up Front: Keep up the effort to establish and maintain provable security in accordance with revision 2 of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and OrganizationsKeep up the annual self-assessments using the NIST SP 800-171 DoD Assessment Methodology and self-reporting the resultant score to the DoD’s Supplier Performance Risk System (SPRS). Both of these requirements have existed since 2017.

On 2 May 2024, the Department of Defense issued an open ended ‘Class Deviation’ to DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. The deviation removes the existing requirement to use the version of NIST SP 800-171 in effect at contract issuance [emphasis added]. Instead, the deviation requires vendors subject to the rule to continue using revision 2 of NIST 800-171 until DoD rescinds the deviation.  Planet does not anticipate DoD retracting this deviation until after the CMMC 2.0 rule goes into effect—potentially 1QCY25.  DoD will need time, in our assessment, to propose the harmonized language between DFARS 2012 and CMMC 2.0 rules, as well as to build business and financial impact cost estimates.

This deviation was necessary as 800-171 revision 3 is likely to become ‘final’ in May or June 2024. Its implementation would then be obligatory in all new contracts after achieving its ‘final’ status. With the expected issuance of the final CMMC 2.0 rule, contracts next year should also start requiring implementation of CMMC 2.0—which explicitly requires the use of 800-171 revision 2. If DoD had not provided this deviation, the simultaneous adherence to both revisions would have been problematic to the Defense Industrial Base (DIB) as well as DoD.

Today’s simple truth is that staying with NIST 800-171 revision 2 simplifies implementation efforts by firms seeking to prove the safeguard covered defense information by reducing potential ambiguities or outright conflicts between two authoritative DFARS requirements. It removes ambiguity as to the applicable standard. A longer truth is that the deviation does nothing to reduce the effort by DIB vendors to establish and maintain their security programs. Nor does the deviation reduce the need to be able to prove security to those to whom security matters (e.g., DoD, CMMC 3PAOs, prime contractors, supply chains, stockholders).

The deviation maintains 320 assessment objectives tucked into 110 security requirements further grouped into 14 control families. The deviation retains the sixty-one (61) Nonfederal Organization (NFO) controls Appendix E, Table E5 of revision 2. These NFO controls drive the need to develop organizational policies, maintain records of training, document interconnections with other systems, conduct continuous monitoring, and numerous other requirements. Neither NIST’s or DoD’s assessment procedures (i.e., NIST 800-171A rev2 and DoD’s Assessment Methodology respectively) explicitly examine NFO controls; ignoring the NFO controls will however make it substantially more difficult to convince assessors of due diligence in meeting the assessment objectives. Ignoring the NFO controls will also place the organization at risk of being unable to win and/or extend contracts.

In closing, do not slow down implementing provable security under revision 2 of NIST 800-171. Consider delaying your efforts to jump to revision 3 of NIST 800-171.