Defense Department Issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems44th U.S.-Jordan Joint Military CommissionContracts for May 2, 2024

The Office of the Under Secretary of Defense for Acquisition and Sustainment, in collaboration with the Office of the Chief Information Officer, today issued a Defense Federal Acquisition Regulation Supplement (DFARS) class deviation relating to the cybersecurity standards required for covered contractor information systems.

The intent of this class deviation is to provide industry time for a more deliberate transition upon the forthcoming release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," revision. This class deviation will also afford the Department of Defense time to best align any of the necessary supporting mechanisms.

Specifically, this class deviation provides an alternative clause that will require contractors, who are subject to DFARS clause 252.204-7012, to comply with NIST SP 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued.

The class deviation is available on the Defense Pricing and Contracting public website at https://www.acq.osd.mil/dpap/policy/policyvault/USA000814-24-DPC.pdf.