(DFARS 252.204-7012 requires contractors to “implement” NIST SP 800-171.) Neither the November 6th guidance nor the January 21 Lord memorandum define “Tier 1 Level Supplier,” but from the context of the December 17 Fahey memorandum it appears that DoD intends it to be interpreted broadly to include first-tier subcontractors, vendors and other suppliers.
- “…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…”
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
The required controls for NIST SP 800-171 address the following areas of your business:
At STN, we understand NIST SP 800-171 compliance and how it can help your business become more secure. We have specific expertise small and medium sized businesses achieve and maintain 800-171 compliance. Our methodology is based on the NIST Risk Management Framework and Best Practice.
We provide the following services:
1. Advisory Services
- Gain a comprehensive understanding of DFARS 252.204-7012 and what it takes to comply. We focus on architectural changes, policies, procedures, security plans, and technologies that are required for a mature secure program.
- Set organizational expectations for compliance through key stakeholder education and buy-in.
2. Controlled Unclassified Information Assessment
- STN reviews of your current network diagrams and documentation
- STN reviews your network policies
- STN performs a review of CUI handling in systems and policies
Through a series of interviews analysis of evidence gathered, STN then provides you with a scope and estimate of NIST 800-171 gap assessment and set of prioritzied recommendations regarding your processing, handling, and storage of CUI data.
- Access control requirements → Add links to Checklist
- Awareness and training requirements
- Audit and accountability requirements
- Configuration Management requirements
- Identification and authentication requirements
- Incident response requirements
- Media protection requirements
- Personnel security requirements
- Physical and environmental protection requirements
- Risk assessment requirements
- Security assessment requirements
- System and communications protection and requirements
- System and information integrity requirements
- Planning requirements (NFO) → needs to be added to checklist
- System and services acquisition requirements (NFO) → needs to be added to checklist
STN then provides you with a detailed report outlining:
- Identify practices that do not need to be changed.
- Specify which practices are currently formally documented.
- Identify current process documentations that need to be altered/refined.
- Identify practices that need to be changed to meet regulatory requirements or to implement best practices.
- Provide a roadmap/plan to implement the corrective actions required for achieving and maintaining compliance.
- Remediation recommendations with estimated compliance costs, timelines, and resources (internal and external) required to achieving and maintaining compliance.
The STN IT assessment processes are facilitated by the STN Cybersecurity Portal, which provides remote reporting and facilitates collaboration between STN and your company’s staff. The portal includes the capability to securely share documentation, review drafts, and input responses to findings directly into your report.
Let’s discuss your NIST compliance needs.
If you are a sub-contractor, vendor, and supplier to a Tier 1 Level Supplier, you are mandated to comply with DFARS Clause 252.204-7012 and NIST 800-171.
This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.
January 21, 2019
The Undersecretary of Defense
Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a means to safeguard the Department of Defense’s (DoD’s) controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor’s internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.
To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171 , I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DF ARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001 , Contractor Purchasing System Administration, in order to:
- Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
- Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.
Get in touch
Let’s discuss your NIST Compliance needs.
Contact us today to speak with an expert about your specific needs.
Learn more about STN Services
Ready to take your data infrastructure to the next level?
Stay in the Cloud
Sign Up for Our Newsletter
Sign up for our monthly newsletter for to stay up to date.