Crisis Averted: DFARS 7012 Class Deviation
Learn how the recent DFARS 7012 Class Deviation averted a crisis for defense contractors by delaying NIST SP 800-171 revision 3 implementation. Gain insights into the background of this crisis and future cybersecurity requirements.
Watch the Podcast
Will the DoD Require Defense Contractors to Implement Revision 3?
The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the Department of Defense.
The 2023 CMMC proposed rule specified that it will assess NIST SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now.
Nevertheless, SP 800-171 revision 3 will eventually be the requirement but, thanks to DoD’s foresight, contractors have some room to breathe.
Bottom Line: SP 800-171 revision 2 is the priority indefinitely
Despite all of the moving pieces between CMMC, DFARS, and NIST requirements, defense contractors have one big takeaway from the class deviation news:
NIST SP 800-171 revision 2 is the baseline for DFARS cybersecurity requirements for the foreseeable future.
Thanks to the class deviation, current contractual obligations under DFARS clause 252.204-7012 obligate defense contractors to implement NIST SP 800-171 revision 2.
The CMMC program will assess NIST SP 800-171 revision 2 requirements at CMMC Level 1 and Level 2.
Pending future developments, it will likely take DoD 2 – 3 years before they sync up DFARS 7012 and CMMC rulemaking and make the jump to SP 800-171 revision 3.
DFARS 252.204-7012 Class Deviation: Background on the Crisis
Long-time listeners will know that over the last year a crisis has been brewing for defense contractors.
DFARS clause 252.204-7012 says contractors “shall be subject to the security requirements in NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the Contracting Officer”
In other words, “the most current version” of NIST SP 800-171 at the time of solicitation.
This unassuming language was just fine until NIST began the revision process for SP 800-171.
As written, the day that SP 800-171 revision 3 is final, all solicitations would point to the new version automatically.
That’s a big problem when the 171r3 represents ~30% increase over 171r2 and contractors would need to comply immediately.
The obvious solution was something known as a “class deviation” - a waiver on the requirements for some period of time allowing contractors to implement the new baseline.
However as of September 2023, the Department of Defense had no plans to issue a class deviation – setting the stage for calamity.
To make matters worse, the CMMC proposed rule published in December 2023 didn’t use the “most current version language” from DFARS clause 252.204-7012.
Instead, the CMMC proposed rule specified SP 800-171 revision 2 as the set of requirements to be assessed.
Thus, the problem: not only would contractors need to implement 171r3 immediately upon publication of NIST SP 800-171 revision3, but they would also need to juggle two different baselines:
- Implement 171r3 to comply with DFARS 7012
- Maintain 171r2 to achieve CMMC certification
Even if DoD issued a class deviation giving contractors 6, 12, or 18 months to implement 171r3, eventually we would have the same double baseline problem on our hands until CMMC rulemaking updated the program to point to 171r3.
On May 2nd, 2024, the DoD issued a “class deviation” requiring contracting officers to use updated guidance “in lieu of the clause at DFARS 252.204-7012” indefinitely.
What does the future hold for NIST SP 800-171 requirements?
Like any decision, the choice to delay NIST SP 800-171 revision 3 requirements for defense contractors via a class deviation to DFARS clause 252.204-7012 comes with tradeoffs.
The good news is that the burden of implementing SP 800-171 revision 3 is delayed indefinitely.
Also, the disparity between DFARS 7012 requiring one baseline while CMMC assesses a different baseline is avoided for the time being.
However, the bad news:
SP 800-171 revision 2 is an inferior standard compared to 171r3 and the incremental steps towards better security will be even slower.
The poor assumptions and gotcha-nature underlying SP 800-171 revision 2 are here to stay for a while.
Show Links:
Lauren Ayers LinkedIn
Lauren Episode: Sum IT Up Episode 10: CMMC, NIST, CUI...
DFARS “Effective Date”: DFARS and CMMC Updated?
Class Deviation: https://www.defense.gov/News/Releases...
Sum IT Up Podcast
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.