PGI 204.7303-2 Safeguarding controls and requirements.
(a) When an offeror proposes to vary from any of the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” in accordance with paragraph (c)(2) of the solicitation provision at DFARS 252.204-7008, or in accordance with paragraphs (b)(2)(ii)(B) of DFARS clause 252.204-7012, the contracting officer shall submit the offeror’s explanation of the proposed variance to the DoD Chief Information Officer via email at osd.dibcsia@mail.mil for adjudication.
(b) For additional information on safeguarding controls and requirements, see the Frequently Asked Questions document at http://www.acq.osd.mil/dpap/pdi/network_penetration_reporting_and_contracting.html.