|
@@ -1,288 +1,376 @@
|
|
|
1
1
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
-
<!DOCTYPE dita
|
|
3
|
-
|
|
4
|
-
<
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
ditaarch:DITAArchVersion="1.2"
|
|
9
|
-
class="- topic/topic concept/concept ">
|
|
10
|
-
<title class="- topic/title ">
|
|
11
|
-
<ph props="autonumber" class="- topic/ph ">252.204-7020</ph> NIST SP 800-171DoD Assessment Requirements.</title>
|
|
12
|
-
<conbody class="- topic/body concept/conbody ">
|
|
13
|
-
<p id="xsQYda" class="- topic/p ">As prescribed in <xref href="204.7304.dita#DFARS_204.7304"
|
|
14
|
-
outputclass="fm:ParaNumOnly"
|
|
15
|
-
class="- topic/xref ">204.7304</xref> (e),
|
|
2
|
+
<!DOCTYPE dita PUBLIC "-//OASIS//DTD DITA Composite//EN" "ditabase.dtd">
|
|
3
|
+
<dita xmlns:ditaarch="http://dita.oasis-open.org/architecture/2005/" ditaarch:DITAArchVersion="1.2" domains="(topic task) (topic concept) (topic concept glossentry) (topic concept glossgroup) (topic reference) (topic troubleshooting++task) (topic task) (topic abbrev-d) a(props deliveryTarget) (topic equation-d) (topic hazard-d) (topic hi-d) (topic indexing-d) (topic markup-d) (topic mathml-d) (topic pr-d) (topic relmgmt-d) (topic sw-d) (topic svg-d) (topic ui-d) (topic ut-d) (topic markup-d xml-d) (topic task strictTaskbody-c) ">
|
|
4
|
+
<concept id="DFARS_252.204-7020" ditaarch:DITAArchVersion="1.2" class="- topic/topic concept/concept ">
|
|
5
|
+
<title class="- topic/title "><ph props="autonumber" class="- topic/ph ">252.204-7020</ph> NIST SP 800-171 DoD Assessment Requirements.</title>
|
|
6
|
+
<conbody class="- topic/body concept/conbody ">
|
|
7
|
+
<p id="xsQYda" class="- topic/p ">As prescribed in <xref href="204.7304.dita#DFARS_204.7304" outputclass="fm:ParaNumOnly" class="- topic/xref ">204.7304</xref> (e),
|
|
16
8
|
use the following clause:</p>
|
|
17
|
-
|
|
9
|
+
<p id="ZAudzo" outputclass="Ctr_SmCaps" class="- topic/p ">NIST SP 800-171 DOD ASSESSMENT REQUIREMENTS
|
|
18
10
|
(JAN 2023)</p>
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
11
|
+
<info li_elems="0"/>
|
|
12
|
+
<ol>
|
|
13
|
+
<li>
|
|
14
|
+
<p id="GQDFPS" outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(a)</ph><i class="+ topic/ph hi-d/i ">Definitions</i>.</p>
|
|
15
|
+
<p id="PtBODa" class="- topic/p ">"Basic Assessment” means a contractor's self-assessment
|
|
16
|
+
of the contractor's implementation of NIST SP 800-171 that—</p>
|
|
17
|
+
<info li_elems="0"/>
|
|
18
|
+
<ol>
|
|
19
|
+
<li>
|
|
20
|
+
<p id="RoQSvL" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> Is based on the Contractor's
|
|
23
21
|
review of their system security plan(s) associated with covered
|
|
24
22
|
contractor information system(s);</p>
|
|
25
|
-
|
|
23
|
+
</li>
|
|
24
|
+
<li>
|
|
25
|
+
<p id="ZtLORt" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> Is conducted in accordance
|
|
26
26
|
with the NIST SP 800-171 DoD Assessment Methodology; and</p>
|
|
27
|
-
|
|
27
|
+
</li>
|
|
28
|
+
<li>
|
|
29
|
+
<p id="CXzQTb" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(3)</ph> Results in a confidence
|
|
28
30
|
level of “Low” in the resulting score, because it is a self-generated
|
|
29
|
-
score.</p>
|
|
30
|
-
|
|
31
|
+
score.</p>
|
|
32
|
+
</li>
|
|
33
|
+
</ol>
|
|
34
|
+
<p id="UOnjLF" class="- topic/p ">“Covered contractor information system” has the
|
|
31
35
|
meaning given in the clause 252.204-7012, Safeguarding Covered Defense Information
|
|
32
36
|
and Cyber Incident Reporting, of this contract.</p>
|
|
33
|
-
|
|
37
|
+
<p id="jpRpDL" class="- topic/p ">“High Assessment” means an assessment that is conducted
|
|
34
38
|
by Government personnel using NIST SP 800-171A, Assessing Security
|
|
35
39
|
Requirements for Controlled Unclassified Information that—</p>
|
|
36
|
-
|
|
37
|
-
|
|
40
|
+
<ol>
|
|
41
|
+
<li>
|
|
42
|
+
<p id="GGiKTR" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> Consists of—</p>
|
|
43
|
+
<info li_elems="0"/>
|
|
44
|
+
<ol>
|
|
45
|
+
<li>
|
|
46
|
+
<p id="xGxLyN" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(i)</ph> A review of a contractor's
|
|
38
47
|
Basic Assessment;</p>
|
|
39
|
-
|
|
48
|
+
</li>
|
|
49
|
+
<li>
|
|
50
|
+
<p id="sCiLVK" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(ii)</ph> A thorough document
|
|
40
51
|
review;</p>
|
|
41
|
-
|
|
42
|
-
|
|
52
|
+
</li>
|
|
53
|
+
<li>
|
|
54
|
+
<p id="RvnefH" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(iii)</ph> Verification, examination,
|
|
55
|
+
and demonstration of a Contractor's system security plan to validate
|
|
43
56
|
that NIST SP 800-171 security requirements have been implemented
|
|
44
|
-
as described in the contractor
|
|
45
|
-
|
|
57
|
+
as described in the contractor's system security plan; and</p>
|
|
58
|
+
</li>
|
|
59
|
+
<li>
|
|
60
|
+
<p id="ApKZCt" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(iv)</ph> Discussions with the
|
|
46
61
|
contractor to obtain additional information or clarification, as
|
|
47
62
|
needed; and</p>
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
63
|
+
<info li_elems="2"/>
|
|
64
|
+
</li>
|
|
65
|
+
</ol>
|
|
66
|
+
</li>
|
|
67
|
+
<li>
|
|
68
|
+
<p id="OQBpkG" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> Results in a confidence
|
|
69
|
+
level of “High” in the resulting score.</p
|
|
70
|
+
> </li>
|
|
71
|
+
</ol>
|
|
72
|
+
<p id="tqyWrE" class="- topic/p ">“Medium Assessment” means an assessment conducted
|
|
51
73
|
by the Government that—</p>
|
|
52
|
-
|
|
53
|
-
|
|
74
|
+
|
|
75
|
+
<ol>
|
|
76
|
+
<li>
|
|
77
|
+
<p id="qkfCiK" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> Consists of—</p>
|
|
78
|
+
<info li_elems="0"/>
|
|
79
|
+
<ol>
|
|
80
|
+
<li>
|
|
81
|
+
<p id="jLVzpc" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(i)</ph> A review of a contractor's
|
|
54
82
|
Basic Assessment;</p>
|
|
55
|
-
|
|
83
|
+
</li>
|
|
84
|
+
<li>
|
|
85
|
+
<p id="xhCLqh" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(ii)</ph> A thorough document
|
|
56
86
|
review; and</p>
|
|
57
|
-
|
|
87
|
+
</li>
|
|
88
|
+
<li>
|
|
89
|
+
<p id="HTgZQM" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(iii)</ph> Discussions with the
|
|
58
90
|
contractor to obtain additional information or clarification, as
|
|
59
91
|
needed; and</p>
|
|
60
|
-
|
|
92
|
+
<info li_elems="2"/>
|
|
93
|
+
</li>
|
|
94
|
+
</ol>
|
|
95
|
+
</li>
|
|
96
|
+
<li>
|
|
97
|
+
<p id="CYFJZC" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> Results in a confidence
|
|
61
98
|
level of “Medium” in the resulting score.</p>
|
|
62
|
-
|
|
99
|
+
<info li_elems="2"/>
|
|
100
|
+
</li>
|
|
101
|
+
</ol>
|
|
102
|
+
</li>
|
|
103
|
+
<li>
|
|
104
|
+
<p id="QTIBEr" outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(b)</ph><i class="+ topic/ph hi-d/i ">Applicability</i>.
|
|
63
105
|
This clause applies to covered contractor information systems that
|
|
64
106
|
are required to comply with the National Institute of Standards
|
|
65
107
|
and Technology (NIST) Special Publication (SP) 800-171, in accordance
|
|
66
108
|
with Defense Federal Acquisition Regulation System (DFARS) clause
|
|
67
109
|
at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident
|
|
68
110
|
Reporting, of this contract.</p>
|
|
69
|
-
|
|
111
|
+
</li>
|
|
112
|
+
<li>
|
|
113
|
+
<p id="JtLdKR" outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(c)</ph><i class="+ topic/ph hi-d/i ">Requirements</i>.
|
|
70
114
|
The Contractor shall provide access to its facilities, systems,
|
|
71
115
|
and personnel necessary for the Government to conduct a Medium or
|
|
72
116
|
High NIST SP 800-171 DoD Assessment, as described in NIST SP 800-171
|
|
73
117
|
DoD Assessment Methodology at
|
|
74
|
-
<xref href="https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html"
|
|
75
|
-
format="html"
|
|
76
|
-
scope="external"
|
|
77
|
-
class="- topic/xref ">https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171</xref>
|
|
118
|
+
<xref href="https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html" format="html" scope="external" class="- topic/xref ">https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171</xref>
|
|
78
119
|
,
|
|
79
120
|
if necessary.</p>
|
|
80
|
-
|
|
121
|
+
</li>
|
|
122
|
+
<li>
|
|
123
|
+
<p id="jsKokg" outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(d)</ph><i class="+ topic/ph hi-d/i ">Procedures</i>. Summary
|
|
81
124
|
level scores for all assessments will be posted in the Supplier
|
|
82
|
-
Performance Risk System (SPRS) () to provide DoD Components visibility
|
|
125
|
+
Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/) to provide DoD Components visibility
|
|
83
126
|
into the summary level scores of strategic assessments.</p>
|
|
84
|
-
|
|
127
|
+
<info li_elems="0"/>
|
|
128
|
+
<ol>
|
|
129
|
+
<li>
|
|
130
|
+
<p id="DPVfpM" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph><i class="+ topic/ph hi-d/i ">Basic Assessments</i>.
|
|
85
131
|
A contractor may submit, via encrypted email, summary level scores
|
|
86
132
|
of Basic Assessments conducted in accordance with the NIST SP 800-171
|
|
87
133
|
DoD Assessment Methodology to for posting to SPRS.</p>
|
|
88
|
-
|
|
134
|
+
<info li_elems="0"/>
|
|
135
|
+
<ol>
|
|
136
|
+
<li>
|
|
137
|
+
<p id="oTPcKO" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(i)</ph> The email shall include
|
|
89
138
|
the following information:</p>
|
|
90
|
-
|
|
139
|
+
<info li_elems="0"/>
|
|
140
|
+
<ol>
|
|
141
|
+
<li>
|
|
142
|
+
<p id="sBIsws" outputclass="List4" class="- topic/p "><ph props="autonumber" class="-topic/ph">(A)</ph> Version of NIST SP 800-171
|
|
91
143
|
against which the assessment was conducted.</p>
|
|
92
|
-
|
|
144
|
+
</li>
|
|
145
|
+
<li>
|
|
146
|
+
<p id="MhyOiq" outputclass="List4" class="- topic/p "><ph props="autonumber" class="-topic/ph">(B)</ph> Organization conducting
|
|
93
147
|
the assessment (e.g., Contractor self-assessment).</p>
|
|
94
|
-
|
|
148
|
+
</li>
|
|
149
|
+
<li>
|
|
150
|
+
<p id="fHaUwY" outputclass="List4" class="- topic/p "><ph props="autonumber" class="-topic/ph">(C)</ph> For each system security
|
|
95
151
|
plan (security requirement 3.12.4) supporting the performance of
|
|
96
152
|
a DoD contract—</p>
|
|
97
|
-
|
|
153
|
+
<info li_elems="0"/>
|
|
154
|
+
<ol>
|
|
155
|
+
<li>
|
|
156
|
+
<p id="TxnZQM" outputclass="List6" class="- topic/p ">(<i class="+ topic/ph hi-d/i ">1</i>) All industry Commercial
|
|
98
157
|
and Government Entity (CAGE) code(s) associated with the information
|
|
99
158
|
system(s) addressed by the system security plan; and</p>
|
|
100
|
-
|
|
159
|
+
</li>
|
|
160
|
+
<li>
|
|
161
|
+
<p id="dcjAMD" outputclass="List6" class="- topic/p ">(<i class="+ topic/ph hi-d/i ">2</i>) A brief description
|
|
101
162
|
of the system security plan architecture, if more than one plan
|
|
102
163
|
exists.</p>
|
|
103
|
-
|
|
164
|
+
<info li_elems="2"/>
|
|
165
|
+
</li>
|
|
166
|
+
</ol>
|
|
167
|
+
</li>
|
|
168
|
+
<li>
|
|
169
|
+
<p id="AjVQHK" outputclass="List4" class="- topic/p "><ph props="autonumber" class="-topic/ph">(D)</ph> Date the assessment was
|
|
104
170
|
completed.</p>
|
|
105
|
-
|
|
171
|
+
</li>
|
|
172
|
+
<li>
|
|
173
|
+
<p id="qIXWpb" outputclass="List4" class="- topic/p "><ph props="autonumber" class="-topic/ph">(E)</ph> Summary level score (e.g.,
|
|
106
174
|
95 out of 110, NOT the individual value for each requirement).</p>
|
|
107
|
-
|
|
175
|
+
</li>
|
|
176
|
+
<li>
|
|
177
|
+
<p id="arMtBS" outputclass="List4" class="- topic/p "><ph props="autonumber" class="-topic/ph">(F)</ph> Date that all requirements
|
|
108
178
|
are expected to be implemented (i.e., a score of 110 is expected
|
|
109
179
|
to be achieved) based on information gathered from associated plan(s)
|
|
110
180
|
of action developed in accordance with NIST SP 800-171.</p>
|
|
111
|
-
|
|
181
|
+
<info li_elems="2"/>
|
|
182
|
+
</li>
|
|
183
|
+
</ol>
|
|
184
|
+
</li>
|
|
185
|
+
<li>
|
|
186
|
+
<p id="GjJMJw" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(ii)</ph> If multiple system security
|
|
112
187
|
plans are addressed in the email described at paragraph (b)(1)(i)
|
|
113
188
|
of this section, the Contractor shall use the following format for
|
|
114
189
|
the report:</p>
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
class="- topic/
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
rowheader="headers"/>
|
|
131
|
-
<colspec colnum="3"
|
|
132
|
-
colname="3"
|
|
133
|
-
colwidth="17*"
|
|
134
|
-
class="- topic/colspec "
|
|
135
|
-
rowheader="headers"/>
|
|
136
|
-
<colspec colnum="4"
|
|
137
|
-
colname="4"
|
|
138
|
-
colwidth="17*"
|
|
139
|
-
class="- topic/colspec "
|
|
140
|
-
rowheader="headers"/>
|
|
141
|
-
<colspec colnum="5"
|
|
142
|
-
colname="5"
|
|
143
|
-
colwidth="17*"
|
|
144
|
-
class="- topic/colspec "
|
|
145
|
-
rowheader="headers"/>
|
|
146
|
-
<colspec colnum="6"
|
|
147
|
-
colname="6"
|
|
148
|
-
colwidth="17*"
|
|
149
|
-
class="- topic/colspec "
|
|
150
|
-
rowheader="headers"/>
|
|
151
|
-
<tbody class="- topic/tbody ">
|
|
152
|
-
<row rowsep="1" class="- topic/row ">
|
|
153
|
-
<entry colname="1" class="- topic/entry ">
|
|
154
|
-
<p id="dzNYpE" class="- topic/p ">System Security Plan</p>
|
|
155
|
-
</entry>
|
|
156
|
-
<entry colname="2" class="- topic/entry ">
|
|
157
|
-
<p id="LzzlQY" class="- topic/p ">CAGE Codes supported by this
|
|
190
|
+
<table frame="all" colsep="1" rowsep="0" class="- topic/table ">
|
|
191
|
+
<tgroup cols="6" colsep="1" rowsep="0" outputclass="Choice" class="- topic/tgroup ">
|
|
192
|
+
<colspec colnum="1" colname="1" colwidth="17*" class="- topic/colspec " rowheader="headers"/>
|
|
193
|
+
<colspec colnum="2" colname="2" colwidth="17*" class="- topic/colspec " rowheader="headers"/>
|
|
194
|
+
<colspec colnum="3" colname="3" colwidth="17*" class="- topic/colspec " rowheader="headers"/>
|
|
195
|
+
<colspec colnum="4" colname="4" colwidth="17*" class="- topic/colspec " rowheader="headers"/>
|
|
196
|
+
<colspec colnum="5" colname="5" colwidth="17*" class="- topic/colspec " rowheader="headers"/>
|
|
197
|
+
<colspec colnum="6" colname="6" colwidth="17*" class="- topic/colspec " rowheader="headers"/>
|
|
198
|
+
<tbody class="- topic/tbody ">
|
|
199
|
+
<row rowsep="1" class="- topic/row ">
|
|
200
|
+
<entry colname="1" class="- topic/entry ">
|
|
201
|
+
<p id="dzNYpE" class="- topic/p ">System Security Plan</p>
|
|
202
|
+
</entry>
|
|
203
|
+
<entry colname="2" class="- topic/entry ">
|
|
204
|
+
<p id="LzzlQY" class="- topic/p ">CAGE Codes supported by this
|
|
158
205
|
plan</p>
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
206
|
+
</entry>
|
|
207
|
+
<entry colname="3" class="- topic/entry ">
|
|
208
|
+
<p id="KBDsfs" class="- topic/p ">Brief description of the plan
|
|
162
209
|
architecture</p>
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
210
|
+
</entry>
|
|
211
|
+
<entry colname="4" class="- topic/entry ">
|
|
212
|
+
<p id="ctbgcK" class="- topic/p ">Date of assessment</p>
|
|
213
|
+
</entry>
|
|
214
|
+
<entry colname="5" class="- topic/entry ">
|
|
215
|
+
<p id="eXNQrU" class="- topic/p ">Total Score</p>
|
|
216
|
+
</entry>
|
|
217
|
+
<entry colname="6" class="- topic/entry ">
|
|
218
|
+
<p id="gaVxUA" class="- topic/p ">Date score of 110 will achieved</p>
|
|
219
|
+
</entry>
|
|
220
|
+
</row>
|
|
221
|
+
<row rowsep="1" class="- topic/row ">
|
|
222
|
+
<entry colname="1" class="- topic/entry ">
|
|
223
|
+
<p id="yeyppG" class="- topic/p "/>
|
|
224
|
+
</entry>
|
|
225
|
+
<entry colname="2" class="- topic/entry ">
|
|
226
|
+
<p id="sDSKpb" class="- topic/p "/>
|
|
227
|
+
</entry>
|
|
228
|
+
<entry colname="3" class="- topic/entry ">
|
|
229
|
+
<p id="PutjlH" class="- topic/p "/>
|
|
230
|
+
</entry>
|
|
231
|
+
<entry colname="4" class="- topic/entry ">
|
|
232
|
+
<p id="uqMCfa" class="- topic/p "/>
|
|
233
|
+
</entry>
|
|
234
|
+
<entry colname="5" class="- topic/entry ">
|
|
235
|
+
<p id="rjDHfk" class="- topic/p "/>
|
|
236
|
+
</entry>
|
|
237
|
+
<entry colname="6" class="- topic/entry ">
|
|
238
|
+
<p id="RiJwcn" class="- topic/p "/>
|
|
239
|
+
</entry>
|
|
240
|
+
</row>
|
|
241
|
+
<row rowsep="1" class="- topic/row ">
|
|
242
|
+
<entry colname="1" class="- topic/entry ">
|
|
243
|
+
<p id="UpIGTN" class="- topic/p "/>
|
|
244
|
+
</entry>
|
|
245
|
+
<entry colname="2" class="- topic/entry ">
|
|
246
|
+
<p id="MRozAy" class="- topic/p "/>
|
|
247
|
+
</entry>
|
|
248
|
+
<entry colname="3" class="- topic/entry ">
|
|
249
|
+
<p id="CZtqEj" class="- topic/p "/>
|
|
250
|
+
</entry>
|
|
251
|
+
<entry colname="4" class="- topic/entry ">
|
|
252
|
+
<p id="hsACiZ" class="- topic/p "/>
|
|
253
|
+
</entry>
|
|
254
|
+
<entry colname="5" class="- topic/entry ">
|
|
255
|
+
<p id="YEymtP" class="- topic/p "/>
|
|
256
|
+
</entry>
|
|
257
|
+
<entry colname="6" class="- topic/entry ">
|
|
258
|
+
<p id="NKyoPO" class="- topic/p "/>
|
|
259
|
+
</entry>
|
|
260
|
+
</row>
|
|
261
|
+
<row rowsep="0" class="- topic/row ">
|
|
262
|
+
<entry colname="1" class="- topic/entry ">
|
|
263
|
+
<p id="HMnupk" class="- topic/p "/>
|
|
264
|
+
</entry>
|
|
265
|
+
<entry colname="2" class="- topic/entry ">
|
|
266
|
+
<p id="algiHX" class="- topic/p "/>
|
|
267
|
+
</entry>
|
|
268
|
+
<entry colname="3" class="- topic/entry ">
|
|
269
|
+
<p id="kvWDWj" class="- topic/p "/>
|
|
270
|
+
</entry>
|
|
271
|
+
<entry colname="4" class="- topic/entry ">
|
|
272
|
+
<p id="btrGUw" class="- topic/p "/>
|
|
273
|
+
</entry>
|
|
274
|
+
<entry colname="5" class="- topic/entry ">
|
|
275
|
+
<p id="MSPXtE" class="- topic/p "/>
|
|
276
|
+
</entry>
|
|
277
|
+
<entry colname="6" class="- topic/entry ">
|
|
278
|
+
<p id="vjMSyN" class="- topic/p "/>
|
|
279
|
+
</entry>
|
|
280
|
+
</row>
|
|
281
|
+
</tbody>
|
|
282
|
+
</tgroup>
|
|
283
|
+
</table>
|
|
284
|
+
<info li_elems="2"/>
|
|
285
|
+
</li>
|
|
286
|
+
</ol>
|
|
287
|
+
</li>
|
|
288
|
+
<li>
|
|
289
|
+
<p id="ORGaeD" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> Medium and High Assessments.
|
|
238
290
|
DoD will post the following Medium and/or High Assessment summary
|
|
239
291
|
level scores to SPRS for each system security plan assessed:</p>
|
|
240
|
-
|
|
292
|
+
<info li_elems="0"/>
|
|
293
|
+
<ol>
|
|
294
|
+
<li>
|
|
295
|
+
<p id="RwUqNd" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(i)</ph> The standard assessed
|
|
241
296
|
(e.g., NIST SP 800-171 Rev 1).</p>
|
|
242
|
-
|
|
297
|
+
</li>
|
|
298
|
+
<li>
|
|
299
|
+
<p id="AfcpPV" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(ii)</ph> Organization conducting
|
|
243
300
|
the assessment, e.g., DCMA, or a specific organization (identified
|
|
244
301
|
by Department of Defense Activity Address Code (DoDAAC)).</p>
|
|
245
|
-
|
|
302
|
+
</li>
|
|
303
|
+
<li>
|
|
304
|
+
<p id="ewPkhF" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(iii)</ph> All industry CAGE code(s)
|
|
246
305
|
associated with the information system(s) addressed by the system
|
|
247
306
|
security plan.</p>
|
|
248
|
-
|
|
307
|
+
</li>
|
|
308
|
+
<li>
|
|
309
|
+
<p id="OkClEw" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(iv)</ph> A brief description
|
|
249
310
|
of the system security plan architecture, if more than one system
|
|
250
311
|
security plan exists.</p>
|
|
251
|
-
|
|
312
|
+
</li>
|
|
313
|
+
<li>
|
|
314
|
+
<p id="npZshF" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(v)</ph> Date and level of the
|
|
252
315
|
assessment, i.e., medium or high.</p>
|
|
253
|
-
|
|
316
|
+
</li>
|
|
317
|
+
<li>
|
|
318
|
+
<p id="DsPPbI" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(vi)</ph> Summary level score
|
|
254
319
|
(e.g., 105 out of 110, not the individual value assigned for each
|
|
255
320
|
requirement).</p>
|
|
256
|
-
|
|
321
|
+
</li>
|
|
322
|
+
<li>
|
|
323
|
+
<p id="rKNYPS" outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(vii)</ph> Date that all requirements
|
|
257
324
|
are expected to be implemented (i.e., a score of 110 is expected
|
|
258
325
|
to be achieved) based on information gathered from associated plan(s)
|
|
259
326
|
of action developed in accordance with NIST SP 800-171.</p>
|
|
260
|
-
|
|
261
|
-
|
|
327
|
+
<info li_elems="3"/>
|
|
328
|
+
</li>
|
|
329
|
+
</ol>
|
|
330
|
+
</li>
|
|
331
|
+
</ol>
|
|
332
|
+
</li>
|
|
333
|
+
<li>
|
|
334
|
+
<p id="PWHykY" outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(e)</ph><i class="+ topic/ph hi-d/i ">Rebuttals</i>.</p>
|
|
335
|
+
<info li_elems="0"/>
|
|
336
|
+
<ol>
|
|
337
|
+
<li>
|
|
338
|
+
<p id="eyRxPT" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> DoD will provide Medium
|
|
262
339
|
and High Assessment summary level scores to the Contractor and offer
|
|
263
340
|
the opportunity for rebuttal and adjudication of assessment summary
|
|
264
341
|
level scores prior to posting the summary level scores to SPRS (see SPRS
|
|
265
|
-
User
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
<p id="rkJedD" outputclass="List2" class="- topic/p ">(2) Upon completion of each
|
|
342
|
+
User's Guide <xref href="https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf" format="pdf" scope="external" class="- topic/xref ">https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf</xref>).</p>
|
|
343
|
+
</li>
|
|
344
|
+
<li>
|
|
345
|
+
<p id="rkJedD" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> Upon completion of each
|
|
270
346
|
assessment, the contractor has 14 business days to provide additional
|
|
271
347
|
information to demonstrate that they meet any security requirements
|
|
272
348
|
not observed by the assessment team or to rebut the findings that
|
|
273
349
|
may be of question.</p>
|
|
274
|
-
|
|
275
|
-
|
|
350
|
+
<info li_elems="2"/>
|
|
351
|
+
</li>
|
|
352
|
+
</ol>
|
|
353
|
+
</li>
|
|
354
|
+
<li>
|
|
355
|
+
<p id="UNzNkI" outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(f)</ph><i class="+ topic/ph hi-d/i ">Accessibility</i>.</p>
|
|
356
|
+
<info li_elems="0"/>
|
|
357
|
+
<ol>
|
|
358
|
+
<li>
|
|
359
|
+
<p id="FzILDU" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> Assessment summary level
|
|
276
360
|
scores posted in SPRS are available to DoD personnel, and are protected,
|
|
277
361
|
in accordance with the standards set forth in DoD Instruction 5000.79,
|
|
278
362
|
Defense-wide Sharing and Use of Supplier and Product Performance
|
|
279
363
|
Information (PI).</p>
|
|
280
|
-
|
|
364
|
+
</li>
|
|
365
|
+
<li>
|
|
366
|
+
<p id="MGExdL" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> Authorized representatives
|
|
281
367
|
of the Contractor for which the assessment was conducted may access
|
|
282
368
|
SPRS to view their own summary level scores, in accordance with
|
|
283
|
-
the SPRS Software User
|
|
369
|
+
the SPRS Software User's Guide for Awardees/Contractors available
|
|
284
370
|
at .</p>
|
|
285
|
-
|
|
371
|
+
</li>
|
|
372
|
+
<li>
|
|
373
|
+
<p id="qPRJoL" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(3)</ph> A High NIST SP 800-171
|
|
286
374
|
DoD Assessment may result in documentation in addition to that listed
|
|
287
375
|
in this clause. DoD will retain and protect any such documentation
|
|
288
376
|
as “Controlled Unclassified Information (CUI)” and intended for
|
|
@@ -291,34 +379,44 @@ unauthorized use and release, including through the exercise of
|
|
|
291
379
|
applicable exemptions under the Freedom of Information Act (e.g.,
|
|
292
380
|
Exemption 4 covers trade secrets and commercial or financial information
|
|
293
381
|
obtained from a contractor that is privileged or confidential).</p>
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
382
|
+
<info li_elems="2"/>
|
|
383
|
+
</li>
|
|
384
|
+
</ol>
|
|
385
|
+
</li>
|
|
386
|
+
<li>
|
|
387
|
+
<p id="yzPquI" outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(g)</ph> Subcontracts.</p>
|
|
388
|
+
<info li_elems="0"/>
|
|
389
|
+
<ol>
|
|
390
|
+
<li>
|
|
391
|
+
<p id="DypeeC" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> The Contractor shall insert the substance of this clause, including this paragraph (g), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services (excluding commercially available off-the-shelf).</p>
|
|
392
|
+
</li>
|
|
393
|
+
<li>
|
|
394
|
+
<p id="nmSTrQ" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> The Contractor shall
|
|
297
395
|
not award a subcontract or other contractual instrument, that is
|
|
298
396
|
subject to the implementation of NIST SP 800-171 security requirements,
|
|
299
397
|
in accordance with DFARS clause 252.204-7012 of this contract, unless
|
|
300
398
|
the subcontractor has completed, within the last 3 years, at least
|
|
301
399
|
a Basic NIST SP 800-171 DoD Assessment, as described in
|
|
302
|
-
<xref href="https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html"
|
|
303
|
-
format="html"
|
|
304
|
-
scope="external"
|
|
305
|
-
class="- topic/xref ">https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171</xref>
|
|
400
|
+
<xref href="https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html" format="html" scope="external" class="- topic/xref ">https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171</xref>
|
|
306
401
|
,
|
|
307
402
|
for all covered contractor information systems relevant to its offer
|
|
308
403
|
that are not part of an information technology service or system
|
|
309
404
|
operated on behalf of the Government.</p>
|
|
310
|
-
|
|
405
|
+
</li>
|
|
406
|
+
<li>
|
|
407
|
+
<p id="QBUmNM" outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(3)</ph> If a subcontractor does
|
|
311
408
|
not have summary level scores of a current NIST SP 800-171 DoD Assessment
|
|
312
409
|
(i.e., not more than 3 years old unless a lesser time is specified
|
|
313
410
|
in the solicitation) posted in SPRS, the subcontractor may conduct
|
|
314
411
|
and submit a Basic Assessment, in accordance with the NIST SP 800-171
|
|
315
|
-
DoD Assessment Methodology, to <xref href="mailto:webptsmh@navy.mil"
|
|
316
|
-
format="html"
|
|
317
|
-
scope="external"
|
|
318
|
-
class="- topic/xref ">mailto:webptsmh@navy.mil</xref> for
|
|
412
|
+
DoD Assessment Methodology, to <xref href="mailto:webptsmh@navy.mil" format="html" scope="external" class="- topic/xref ">mailto:webptsmh@navy.mil</xref> for
|
|
319
413
|
posting to SPRS along with the information required by paragraph
|
|
320
414
|
(d) of this clause.</p>
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
415
|
+
</li>
|
|
416
|
+
</ol>
|
|
417
|
+
</li>
|
|
418
|
+
</ol>
|
|
419
|
+
<p id="xCHzLY" outputclass="Ctr" class="- topic/p ">(End of clause)</p>
|
|
420
|
+
</conbody>
|
|
421
|
+
</concept>
|
|
324
422
|
</dita>
|