As prescribed in 204.7304(a), use the following provision:
Compliance With Safeguarding Covered Defense Information Controls (AUG
2015)
(a) Definitions. As used in this provision--
Controlled technical information, covered contractor information system, and covered defense information are defined in clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
(b) The security requirements required by contract clause 252.204-7012, Covered Defense Information and Cyber Incident Reporting, shall be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract.
(c) If the Offeror proposes to deviate from any of the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, ``Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, http://dx.doi.org/ 10.6028/ NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD CIO, a written explanation of--
(1) Why a particular security requirement is not applicable; or
(2) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.
(d) An authorized representative of the DoD CIO will approve or disapprove offeror requests to deviate from NIST SP 800-171 requirements in writing prior to contract award. Any approved deviation from NIST SP 800-171 shall be incorporated into the resulting contract.
(End of provision) [80 FR 51744, Aug. 26, 2015]