Cyber DFARS, NIST SP 800-171 DOD Class Deviation | Lockheed Martin

Who we are What we do News Careers Investors Suppliers

Global Activity

United States | English

back

Global Activity

Featured

Global Activity image

Global Presence, Local Impact

Learn how we are strengthening the economies, industries and communities of our global partner nations.

Australia

English

Canada

English Français

Denmark

English Danish

Germany

English Deutsch

Greece

English Ελληνικά

India

English

Israel

English עברית

Japan

English 日本語

Latin America

English Spanish Portuguese

New Zealand

English

Poland

English Polski

Republic of Korea

English 한국어

Saudi Arabia

English عربى

Singapore

English

Spain

English Español

Taiwan

English

United Arab Emirates

English عربى

United Kingdom

English

United States

English

back

Search

back

Who we are

About Us Leadership & Governance Our Businesses Sustainability, Social Impact & Diversity Ethics Economic and Workforce Impact Global Activities

back

About Us

Our Company Our Culture Our History

back

Leadership & Governance

Executive Leadership Team Full Spectrum Leadership

Corporate Governance

Board of Directors Corporate Charter Political Disclosures

back

Our Businesses

Business Areas

Aeronautics Missiles and Fire Control Rotary and Mission Systems Space LM Ventures

back

Sustainability, Social Impact & Diversity

Social Impact Diversity & Inclusion Environmental, Safety and Health Sustainability

back

Social Impact

In the Community Military and Veteran Support Future STEM Workforce Employee Focused Programs Volunteerism

Contribution Process

back

Ethics

Ethics Code of Conduct Business Conduct Ethics Awareness Training Integrity Minute

back

Sustainability

Sustainability at LM Sustainability Performance Report Sustainability Management Plan Sustainability Governance Plan

back

What We Do

Aircraft All-Domain Operations Autonomy & AI Cyber Deterrence Capabilities Maritime Systems Space Sustainment & Training Systems Transformative Technology

Products by Domain

Featured

21st Century Security

Designed to help the U.S. and allies leverage emerging technologies to create a resilient multi-domain network.

back

Autonomy & AI

Artificial Intelligence Autonomy Distributed Teaming

View Autonomous Products

back

Aircraft

Explore All Aircraft

Fixed Wing

Commercial Aircraft Fighter Jets Tactical Airlift Tanker Transport Autonomous Aircraft

Rotary Wing

Commercial Aircraft Future Vertical Lift Sikorsky Autonomous Aircraft

back

All-Domain Operations

21st Century Security C4ISR Solutions Joint All-Domain Operations

back

Aircraft

Fixed Wing

Commercial Aircraft Fighter Jets Tanker Transport Autonomous Aircraft

Rotary Wing

Commercial Aircraft Future Vertical Lift Sikorsky Autonomous Aircraft

back

Cyber Capabilities

Cyber 1 Cyber 2 Cyber 3

back

Innovation

Skunk Works®

Global Research and Development

Advanced Technology Center Advanced Technology Laboratories Center for Innovation Sikorsky Innovations STELaRLab

back

Space Capabilities

Communications Security Deterrence & Missile Defence Global Situational Awareness Human & Scientific Exploration Intelligence Solutions & Cyber Space Technologies

back

Sustainment & Training Systems

Sustainment & Global Readiness Training Systems

back

Deterrence Capabilities

C4ISR Solutions Cyber Solutions Directed Energy Electronic Warfare Integrated Air & Missile Defense Joint All-Domain Operations Radar Sensors Weapon Systems

back

Products by Domain

All Products

By Domain

Air Cyber Land Sea Space

back

Transformative Technologies

21st Century Security 5G.MIL Solutions Artificial Intelligence Cyber Directed Energy Firefighting Intelligence Hypersonic Solutions Spectrum Dominance

Our Business Innovation

Digital Transformation Research Labs

back

Research Labs

Skunk Works®

Global Research and Development

Advanced Technology Center Advanced Technology Laboratories Center for Innovation Sikorsky Innovations STELaRLab

Back to Supplier News

Cyber DFARS, NIST SP 800-171 and DOD’s “Just-in-Time” Class Deviation

June 26, 2024

As most defense industry companies are aware, DFARS 252.204-7012 has long required contractors and subcontractors to safeguard DOD’s controlled unclassified information (CUI) (or covered defense information), including requirements to protect their company networks consistent with the NIST SP 800-171 standard (version current at time of prime contract solicitation). While the intent is for those requirements to evolve over time as the standard is revised to reflect the changing cyber threat landscape, the evolution to NIST’s latest revision will be a significant undertaking for the industry. Fortunately, DOD leadership recognized these concerns and on May 2, 2024 a Class Deviation for 252.204-7012 was issued guiding contracting officers to require contractors to comply with NIST SP 800-171 Revision 2 (instead of the version in effect at time of solicitation). Less than two weeks later, on May 14, 2024, NIST released Revision 3 to this standard. The Class Deviation will remain in effect until rescinded.

As a result, for the time being, industry can remain focused on ensuring that they are fully meeting NIST SP 800-171 Revision 2 requirements and preparing for third-party (CMMC Level 2) certification requirements against that standard.

Looking ahead to the now final Revision 3:

There are substantial changes comparing 800-171 Rev2 to Rev3 – nearly 70% of the standard and roughly 214 requirements & 50 subordinate requirements are modified.
One of the most challenging elements added are the “Organizationally Defined Parameters (ODPs)”, which potentially introduce significant complexity since individual government agencies could define different parameters for contractors to meet (leading to variation of the requirement by customer, or even on a contract by contract basis)
Given the large amount of change it will take a significant amount of time for industry to adapt… both for contractors to implement the new requirements and for assessors to be trained and their assessment methodologies updated to incorporate the changes. Plans of Action & Milestones (POAMs) are expected to be allowed, but much is still to be determined about how new requirements and POAMs would be assessed.