If you must comply with NIST 800-171 under DFARS you may wonder what has changed with the first revision, released in December, 2016.  There are two substantive changes:

1.  “Information Systems” has been replaced by “Systems” throughout the document.  This mean the scope of your compliance effort is expanded to cover Industrial Control Systems (ICS) or Supervisorial Control and Data Systems (SCADA) that could be vulnerable to attack.

Therefore, your compliance team should have the necessary skills and experience to assess these additional systems.

What changed in NIST 800-171r1? What changed in NIST 800-171r1?

2.  The addition of a 110th requirement for a System Security Plan (SSP).  Paragraph 3.12.4 now requires you to “Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”

An SSP differs from a Plan of Action and Milestones (POAM).  A POAM is an actionable project plan with commitments that can be contractually binding versus an SSP that is more conceptually in nature.  However, we think that Contracting Officers will expect suppliers to make their SSP’s actionable and take good-faith efforts to abide by them.