On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
The deviation relates to contractors’ compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors must comply with the version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 that is in effect at the time the government issues a solicitation. Instead, under the deviation, contractors are specifically directed to comply with NIST SP 800-171, Revision 2 (i.e., the current version) until the deviation is rescinded. The deviation is effective immediately.