The Network Penetration Reporting and Contracting for Cloud Services Rule was the subject of two interim rules published Aug. 26, 2015 (80 FR 51739) and Dec. 30, 2015 (80 FR 81472), before being published as a final rule Oct. 21, 2016 (81 FR 72986), and clarified by DoD through answers to Frequently Asked Questions (FAQs), published Jan. 27, 2017.
The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).
However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a … Read More