DI-MGMT-82247, DATA ITEM DESCRIPTION (DID): CONTRACTOR'S SYSTEMS SECURITY PLAN AND ASSOCIATED PLANS OF ACTION TO IMPLEMENT NIST SP 800-171 ON A CONTRACTOR'S INTERNAL UNCLASSIFIED INFORMATION SYSTEM [S/S BY DI-SCRE-82258] (31-OCT-2018)
DI-MGMT-82247, DATA ITEM DESCRIPTION (DID): CONTRACTOR'S SYSTEMS SECURITY PLAN AND ASSOCIATED PLANS OF ACTION TO IMPLEMENT NIST SP 800-171 ON A CONTRACTOR'S INTERNAL UNCLASSIFIED INFORMATION SYSTEM [S/S BY DI-SCRE-82258] (31-OCT-2018)., This Data Item Description (DID) contains the data content, format, and intended use of the Contractor's system security plan (or extracts thereof), to include any associated plans of action, addressing the Contractor’s internal unclassified information system(s). When Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 is included in a contract for which covered defense information – as defined in DFARS Clause 252.204-7012 – will be processed, stored, or transmitted on an unclassified information system that is owned, or operated by or for, the Contractor, the Contractor shall develop, document, and periodically update a system security plan(s), to include any associated plans of action, for the Contractor’s internal unclassified information system in accordance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Security Requirement 3.12.4 of the NIST SP 800-171 requires that system security plans describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Security Requirement 3.12.2 of the NIST SP 800-171 requires that plans of action describe how the Contractor will correct deficiencies and reduce or eliminate vulnerabilities in the Contractor’s unclassified information system. The system security plan (or extracts thereof) and any associated plans of action may be used by the government as input to an overall risk management decision to process, store, or transmit covered defense information on an unclassified information system that is owned, or operated by or for, the Contractor (i.e., Contractor's internal unclassified information system).
This DID contains the information that shall be conveyed within the system security plan and any associated plans of actions for the Contractor’s internal unclassified information system. There is no prescribed format or specified level of detail for how that information is conveyed. There is no requirement for the government to approve the system security plan or any associated plans of action for the Contractor’s internal unclassified information system, but the government may request that the Contractor submit the system security plan (or extracts thereof), and any associated plans of action, such that the government may review the Contractor’s implementation of security requirements.