COMPLIANCE

NIST 800-171 Compliance

The Department of Defense has given qualified contractors until the end of the year to comply with the NIST 800-171 requirements.

Schedule Your Assessment

NIST Overview

On January 21, 2019, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) issued a second memorandum focused on assessing contractor COMPLIANCE with the DFARS cyber clause via audits of a Contractor’s purchasing system. Much like the DoD IG audits that many contractors have been subject to in the past few months, the intent of this guidance is to have DCMA “validate, for contracts for which they provide contract administration and oversight, contractor COMPLIANCE with the requirements of DFARS clause 252.204-7012.”

(DFARS 252.204-7012 requires contractors to “implement” NIST SP 800-171.) Neither the November 6th guidance nor the January 21 Lord memorandum define “Tier 1 Level Supplier,” but from the context of the December 17 Fahey memorandum it appears that DoD intends it to be interpreted broadly to include first-tier subcontractors, vendors and other suppliers.

NIST Compliance

Resource Center

If you are a sub-contractor, vendor, or supplier to a Tier 1 Level Supplier for the government, you must implement all of the security requirements and controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations—by mile marker 12-31-17. If you don’t, you risk losing your contracts, costing your organization millions of dollars in lost revenue:

“…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…”

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

The required controls for NIST SP 800-171 address the following areas of your business:

Access Control
Audit and Accountability
Awareness and Training
Configuration Management
Identification and Authentication
Incident Response

Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment & Authorization
System and Communications Protection

At STN, we understand NIST SP 800-171 compliance and how it can help your business become more secure. We have specific expertise small and medium sized businesses achieve and maintain 800-171 compliance. Our methodology is based on the NIST Risk Management Framework and Best Practice.

We provide the following services:

1. Advisory Services

Gain a comprehensive understanding of DFARS 252.204-7012 and what it takes to comply. We focus on architectural changes, policies, procedures, security plans, and technologies that are required for a mature secure program.
Set organizational expectations for compliance through key stakeholder education and buy-in.

2. Controlled Unclassified Information Assessment

Before you begin a full 800-171 gap assessment, you first need to understand how and where your company utilizes, stores, and transmits Controlled Unclassified Information (CUI). In this assessment, STN assesses how your company utilizes, transmits, and stores CUI by utilizing our methodology:

STN reviews of your current network diagrams and documentation
STN reviews your network policies
STN performs a review of CUI handling in systems and policies

Through a series of interviews analysis of evidence gathered, STN then provides you with a scope and estimate of NIST 800-171 gap assessment and set of prioritzied recommendations regarding your processing, handling, and storage of CUI data.

3. NIST 800-171 Gap Analysis

STN performs a gap analysis of your company’s compliance with all required NIST 800-171 controls for DFARS 252.204-7012 compliance including:

Access control requirements → Add links to Checklist
Awareness and training requirements
Audit and accountability requirements
Configuration Management requirements
Identification and authentication requirements
Incident response requirements
Maintenance
Media protection requirements
Personnel security requirements

Physical and environmental protection requirements
Risk assessment requirements
Security assessment requirements
System and communications protection and requirements
System and information integrity requirements
Planning requirements (NFO) → needs to be added to checklist
System and services acquisition requirements (NFO) → needs to be added to checklist

STN then provides you with a detailed report outlining:

Identify practices that do not need to be changed.
Specify which practices are currently formally documented.
Identify current process documentations that need to be altered/refined.
Identify practices that need to be changed to meet regulatory requirements or to implement best practices.
Provide a roadmap/plan to implement the corrective actions required for achieving and maintaining compliance.
Remediation recommendations with estimated compliance costs, timelines, and resources (internal and external) required to achieving and maintaining compliance.

The STN IT assessment processes are facilitated by the STN Cybersecurity Portal, which provides remote reporting and facilitates collaboration between STN and your company’s staff. The portal includes the capability to securely share documentation, review drafts, and input responses to findings directly into your report.

Let’s discuss your NIST compliance needs.

If you are a sub-contractor, vendor, and supplier to a Tier 1 Level Supplier, you are mandated to comply with DFARS Clause 252.204-7012 and NIST 800-171.

This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.

Mandate Language

January 21, 2019
The Undersecretary of Defense

Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a means to safeguard the Department of Defense’s (DoD’s) controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor’s internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.

To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171 , I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DF ARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001 , Contractor Purchasing System Administration, in order to:

Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.