Questions about CUI? We've got a guide for you. Learn More

    Crisis Averted: DFARS 7012 Class Deviation

    Learn how the recent DFARS 7012 Class Deviation averted a crisis for defense contractors by delaying NIST SP 800-171 revision 3 implementation. Gain insights into the background of this crisis and future cybersecurity requirements.

    By
    3 Minutes Read

    Watch the Podcast

     

    Will the DoD Require Defense Contractors to Implement Revision 3?  

    The obligation for defense contractors to implement NIST SP 800-171 revision 3 has been delayed indefinitely thanks to a recent “class deviation” published by the Department of Defense.

    The 2023 CMMC proposed rule specified that it will assess NIST SP 800-171 revision 2, but language in defense contracts would have triggered a crisis – until now.

    Nevertheless, SP 800-171 revision 3 will eventually be the requirement but, thanks to DoD’s foresight, contractors have some room to breathe.

    Bottom Line: SP 800-171 revision 2 is the priority indefinitely 

    Despite all of the moving pieces between CMMC, DFARS, and NIST requirements, defense contractors have one big takeaway from the class deviation news:

    NIST SP 800-171 revision 2 is the baseline for DFARS cybersecurity requirements for the foreseeable future.

    Thanks to the class deviation, current contractual obligations under DFARS clause 252.204-7012 obligate defense contractors to implement NIST SP 800-171 revision 2.

    The CMMC program will assess NIST SP 800-171 revision 2 requirements at CMMC Level 1 and Level 2.

    Pending future developments, it will likely take DoD 2 – 3 years before they sync up DFARS 7012 and CMMC rulemaking and make the jump to SP 800-171 revision 3.

    DFARS 252.204-7012 Class Deviation: Background on the Crisis

    Long-time listeners will know that over the last year a crisis has been brewing for defense contractors.

    DFARS clause 252.204-7012 says contractors “shall be subject to the security requirements in NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the Contracting Officer”

    In other words, “the most current version” of NIST SP 800-171 at the time of solicitation.

    This unassuming language was just fine until NIST began the revision process for SP 800-171.

    As written, the day that SP 800-171 revision 3 is final, all solicitations would point to the new version automatically.

    That’s a big problem when the 171r3 represents ~30% increase over 171r2 and contractors would need to comply immediately.

    The obvious solution was something known as a “class deviation” - a waiver on the requirements for some period of time allowing contractors to implement the new baseline.

    However as of September 2023, the Department of Defense had no plans to issue a class deviation – setting the stage for calamity.

    To make matters worse, the CMMC proposed rule published in December 2023 didn’t use the “most current version language” from DFARS clause 252.204-7012.

    Instead, the CMMC proposed rule specified SP 800-171 revision 2 as the set of requirements to be assessed.

    Thus, the problem: not only would contractors need to implement 171r3 immediately upon publication of NIST SP 800-171 revision3, but they would also need to juggle two different baselines:

    • Implement 171r3 to comply with DFARS 7012
    • Maintain 171r2 to achieve CMMC certification

    Even if DoD issued a class deviation giving contractors 6, 12, or 18 months to implement 171r3, eventually we would have the same double baseline problem on our hands until CMMC rulemaking updated the program to point to 171r3.

    On May 2nd, 2024, the DoD issued a “class deviation” requiring contracting officers to use updated guidance “in lieu of the clause at DFARS 252.204-7012” indefinitely.

     

    What does the future hold for NIST SP 800-171 requirements?

    Like any decision, the choice to delay NIST SP 800-171 revision 3 requirements for defense contractors via a class deviation to DFARS clause 252.204-7012 comes with tradeoffs.

    The good news is that the burden of implementing SP 800-171 revision 3 is delayed indefinitely.

    Also, the disparity between DFARS 7012 requiring one baseline while CMMC assesses a different baseline is avoided for the time being.

    However, the bad news:

    SP 800-171 revision 2 is an inferior standard compared to 171r3 and the incremental steps towards better security will be even slower.

    The poor assumptions and gotcha-nature underlying SP 800-171 revision 2 are here to stay for a while.

    Show Links: 

    Lauren Ayers LinkedIn
    Lauren Episode:     Sum IT Up Episode 10: CMMC, NIST, CUI...  
    DFARS “Effective Date”:     DFARS and CMMC Updated?  
    Class Deviation:     https://www.defense.gov/News/Releases...


    Sum IT Up Podcast

    With Jacob Horne and Jason Sproesser

    We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.

    SumItUp Spotify Podcast Button SumItUp Apple Podcast Button SumItUp YouTube Podcast Button
    Picture of Jacob Horne

    Jacob Horne

    Jacob has 15 years of interdisciplinary cybersecurity experience. He uses his knowledge of cybersecurity, NIST standards, and federal rulemaking to help people make sense of cybersecurity regulations and requirements.

    Author

    Recommended For You