On May 2nd 2024 DOD released a memo authorizing a class deviation pertaining to DFARS 252.204-7012. Class deviation in this case refers to the DoD’s intent to have contractors comply with NIST 800-171 Revision 2, as called out in DFARS,  rather than simply requiring compliance with the NIST 800-171 version in effect at the time of award. The DoD memo specifically states:

 

“….the deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. This class deviation remains in effect until rescinded.”

 

The DOD has aligned DFARS 7012 and CMMC 2.0, so they’ll both be based on NIST 800-171 revision 2, as we had expected.

What impact does this have on NIST 800-171 revision 3 which came out as a final draft in November of 2023 and what should contractors do now to align their compliance efforts with NIST 800-171 r2? Read this blog to learn more.

Background

NIST is responsible for developing information security requirements including the minimum safeguards for protecting the confidentiality of CUI in nonfederal systems and organizations. Specifically NIST 800-171 focuses on components that store, process, transmit CUI or provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and non-federal organizations.

For its part, the DOD has adopted NIST 800-171 revision 2 in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting regulations. DFARS 7012 requirements have been in effect since December 2017.

Rev 3 Timeline Update

NIST 800-171 revision 3 was released on November 9th 2023 as a final draft with a public comment period until Jan 24th 2024. From there NIST was expected to adjudicate the comments and respond publicly to all comments and make revisions as needed. The expectation had been that NIST would release 800-171 revision 3 Final in Spring 2024. However, with the release of the class deviation, the DoD has made it clear that it is going to focus on 800-171R2 for CMMC 2.0 rather than revision 3.

This move is an important step in bringing CMMC 2.0 closer to a final rule as prior to this there was conflict between CMMC 2.0 and DFARS 7012 given the impending release of 800-171 revision 3. This memo makes it clear that DOD is going to focus on 800-171R2 for CMMC 2.0 and it is now aligned with DFARS 7012.

Our informed opinion is that we will not see DOD shift requirements to 800-171 revision 3 until after the CMMC 2.0 roll out is fully completed which won’t be until 2028 or later. All of the cost estimates built into CMMC 2.0 rule were based on 800-171 revision 2 requirements so for DOD to suddenly enforce 800-171 revision 3 would have required those cost estimates to be changed.

What Contractors Should Do Now

Given that the DoD is focusing on revision 2, contractors should do the same and focus on meeting their existing obligations under DFARS 7012 which requires compliance with NIST 800-171 revision 2. These are  the controls which lie at the core of CMMC.

A great way to start familiarizing yourself with the CMMC framework is by reading PreVeil’s paper Achieving CMMC Compliance: A guide for small and midsize defense contractors.


Read our blog on the CMMC Compliance Checklist for a summary of the 12 steps you’ll want to follow to achieve CMMC Compliance

Conclusion

With CMMC expected to be in contracts by late 2024 or early 2025, there is little time to hesitate. Defense contractors need to get started on their compliance journey.

PreVeil is trusted by more than 1,000 small and midsize defense contractors. Learn more about how PreVeil can help you achieve CMMC Level 2 certification faster and more affordably: