Let’s face it: very, very few defense contractors were fully compliant with DFARS 252.204-7012 at the end of last year, when the requirements officially went into effect. The cost, complexity, and availability of key solutions made it nearly impossible for all but the largest contractors to be compliant.
Fortunately, NIST 800-171 clause 3.12.4 allowed for the submission of a System Security Plan (SSP) and a Plan of Actions and Milestones (POAM) in order to buy some time while contractors deployed the appropriate solutions. Most contractors that made any effort towards compliance took advantage of this option.
Grading your POAM
Now that the formal deadline has passed with so few fully compliant contractors, the question for procurement officials logically becomes, “how do I compare bids from non-compliant companies?” On April 24, 2018, the DoD issued draft guidance to help procurement officials “score” POAMs and determine how much risk is acceptable in evaluating a proposal. The guidance is currently in draft form and comments are due by May 31, 2018, but it provides some early insight as to how the DoD views the controls in NIST 800-171 (the actual file can be found here).
This document provides a “DoD Value” for each requirement and roughly aligns with the NIST 800-53 priority codes. The goal is to assess the risk associated with unimplemented security requirements so contracting officials can determine whether their compliance progress is sufficient to move forward with an award. The document also suggests guidance as to whether the method to implement a requirement is policy/process, configuration, or hardware/software driven.
Small Contractors Get a Break
The guidance grades every control on a scale of 1-5 with a 5 rating the highest impact on information security. Its notable that the DoD acknowledges that businesses with small IT staffs will find it more challenging to accomplish some requirements, but the risk is also less. The result is that some “5’s” may be graded as a “3” for smaller contractors.
Draft comments are due by the end of May and we’ll be watching to see how the DoD moves forward. However, for contractors, this early guidance does provide insight as to how the DoD views individual requirements. Smart contractors should use this to help prioritize an individual company’s POAM in anticipation of this grading system.
We Can Help
C3 Integrated Solutions can help you navigate this rapidly evolving landscape, resolve your POAM and begin moving your company towards compliance. As one of only four partners authorized to license Microsoft 365 GCC High to under 500 employees, we can help you move ahead of your competition as your bids are evaluated by procurement officials.
To learn more, contact us at firstname.lastname@example.org.