Prepare for the future, succeed today: Current system security plan requirements
With the recent passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Reporting Act”), many within the cybersecurity profession are looking forward to a bright future. However, this future should not be blinding of the current obligations existing under the Defense Federal Acquisition Supplement (DFARS). These DFARS clauses already require contractors to incorporate the National Institute of Standards and Technology (NIST). Applying NIST SP 800-171, contractors are responsible in implementing three layers of Incident Response. Furthermore, a representative from the Defense Contract Management Agency (DCMA) reminded contractors of some of their other current legal obligations.
Specifically, System Security Plans (SSP) were discussed during a recent Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) Town Hall. The representative noted that the DCMA will be reviewing contractor SSP descriptions of how security requirements are being met under the current regulations. This explicit obligation falls under NIST SP 800-171 §3.12.4 which states that a contractor is required to:
“Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems”.
While there is no prescribed format or specific level of detail, NIST defines a SSP as:
“A document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems.”
Therefore, at a minimum, all government contractors regulated by the DFARS must have a document describing the above information.
While new laws and regulations, like the Reporting Act, require planning and legal guidance, our government contractors should not forget about their current obligations and NIST requirements. Additionally, while the SSP itself is important, government contractors should also note that under NIST SP 800-18 system owners must also be identified, having “expert knowledge” of how the system meets the security requirements described in the SSP.
If you require assistance regarding new or current requirements, like the SSP creation or updating, please reach out to our to our national Data Privacy and Cybersecurity Practice Group. Moreover, for general government contracting support contact our attorneys in the Government Contracting and Procurement Practice Group.