NIST, DOD, DHS ALL MOVE AHEAD ON CONTRACTOR SECURITY REQUIREMENTS
NIST Special Publication (SP) 800-171 serves as the cornerstone for how agencies and vendors protect federal data on non-federal systems or organizations when that company is not collecting or maintaining the data. The agency just released its third revision of the standard, making multiple changes designed to make it easier for contractors to understand what is required of them and what federal agencies should expect from contractors. This is just one of the new developments on the security front for government contractors. The Department of Defense is taking another step toward protecting its supply chain, for which protecting information is part of that broader effort, by requiring contracting officers to evaluate vendors through the supplier performance risk system (SPRS). A final rule issued in March states that contracting officers must consider supplier risk as part of their responsibility determination for any procurements at or below the simplified acquisition threshold and for any acquisitions for commercial items and services. This requirement was discussed recently at the Coalition for Government Procurement Spring Conference by John Tenaglia, Director of Defense Pricing and Contracting. Tenaglia said that the intent of the rule is to require contracting officers to more closely review the acquisition of items that may have enhanced risk factors. Not to be outdone, the Department of Homeland Security is close to finalizing a rule that would essentially implement CMMC-like requirements for the handling of controlled unclassified information for its own procurements. Collectively, these actions show that federal agencies are increasingly focused on assessing risk, protecting information, and ensuring that contractors have systems in place to properly oversee both their own security programs and those of their suppliers. These requirements may result in increased costs for contractors, as well as new processes. Companies may want to consider devoting time and resources to ensuring that they have a strategic plan on how to identify and manage these requirements.