As part of our continuing effort to keep you updated with new developments relating to compliance with the Department of Defense (DoD) Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, this blog post provides a link to the long-anticipated template for a system security plan (SSP) and other key information related to implementation of the security controls set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Template for SSP
The Computer Security Resource Center portion of the NIST website has published a SSP template for controlled unclassified information (CUI). It can be found by clicking “CUI SSP template” on the right hand side under “Documentation” at https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final#pubs-topics. This SSP template tracks verbatim the 110 security control requirements of NIST SP 800-171 and, for each one, requires contractors to respond whether the requirement has been “Implemented,” is “Planned to be Implemented,” or “Not Applicable.” If the response is N/A, the organization must provide an explanation for its rationale. The template comes with the following Planning Note: “There is no prescribed format or specified level of detail for SSPs. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.”
As we have advised in the past, if certain security requirements are being met with an alternative security control measure that is as equally effective, we recommend availing yourself of the procedure set forth in DFARS 252.204-7012 and submitting a variance request to your contracting officer.
Registration on DIBNet
As we’ve also advised based on anecdotal information from other clients in the industry, it is important to register on DIBNet now—before you’re in the throes of a cyber security incident. But, please note: the URL for accessing the DIBNet portal has changed. If you use the old link, the following information will pop up: “Thank you for trying to access the Defense Industrial Base Network. Our site has recently undergone changes and has a new URL for enhanced security. Please access DIBNet at the new URL at https://dibnet.dod.mil.”
And, just so you’re ready in the unfortunate event that you must “rapidly report” (within 72 hours) a cyber security breach, it is not too late to gather the 20 items of information that you’ll need to furnish to DoD, namely:
- Company name
- Company point of contact information (address, position, telephone, and email)
- Data Universal Numbering System (DUNS) Number
- Contract number(s) or other type of agreement affected or potentially affected
- Contracting Officer or other type of agreement point of contact (address, position, telephone, and email)
- USG Program Manager point of contact (address, position, telephone, and email)
- Contract or other type of agreement clearance level (unclassified, confidential, secret, top secret, or not applicable)
- Facility CAGE code
- Facility Clearance Level (unclassified, confidential, secret, top secret, or not applicable)
- Impact to Covered Defense Information
- Ability to provide operationally critical support
- Date incident discovered
- Location(s) of compromise
- Incident location CAGE code
- DoD programs, platforms, or systems involved
- Type of compromise (unauthorized access, unauthorized release [includes inadvertent release], unknown, or not applicable)
- Description of technique or method used in cyber incident
- Incident outcome (successful compromise, failed attempt, or unknown)
- Incident/Compromise narrative
- Any additional information
About the Author: Kimi Murakami is counsel with PilieroMazza and focuses her practice on corporate transactions with an emphasis on mergers and acquisitions of government contractors. She also has experience advising on intellectual property matters including trademarks and trade secrets. She can be reached at kmurakami@pilieromazza.com.