COMPLIANCE

Getting your company in compliance shape for NIST 800-171, with the looming December 31, 2017, deadline enforced by the U.S. Department of Defense (DoD), is much like training for a marathon. If your company or organization contracts for the government, you must implement all of the security requirements and controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations—by mile marker 12-31-17. If you don’t, you risk losing your contracts, costing your organization millions of dollars in lost revenue:

“…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…”

-Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

The required SP 800-171 controls include:

•  Access Control
• Audit and Accountability
• Awareness and Training
• Configuration Management
•  Identification and Authentication
• Incident Response
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment & Authorization
• System and Communications Protection
• Three exceptions include: (i) CP-9 from the contingency planning family; (ii) a requirement to develop and implement a system security plan (derived from PL-2) from the planning family; and (iii) a requirement to implement system security engineering principles (derived from SA-8).

Our methodology is based on the NIST Risk Management Framework and Best Practice. We provide the following services:

• Gain a comprehensive understanding of DFARS 252.204-7012 and what it takes to comply. We focus on architectural changes, policies, procedures, security plans, and technologies that are required for a mature secure program.
• Set organizational expectations for compliance through key stakeholder education and buy-in.

• Provide decision-makers with a Roadmap/Strategy outlining the corrective actions required for achieving and maintaining compliance.
• Results include a clear picture of compliance costs, timelines, resources (internal and external) required to achieving and maintaining compliance.

• Independent Risk Assessment: Conduct 3rd party assessments to validate the various safeguards implemented during the remediation phase of the project. Service is provided to clients who have not worked with STN on remediation activities.
• Conduct compliance and operational continuous monitoring activities.