Department of Defense contractors and subcontractors handle highly sensitive government data on a regular basis. In today’s day and age when a cyber-attack happens every 39 seconds, taking the right steps to protect this data is of the utmost importance.
This is why specific cybersecurity protocols have been put in place by the US government, and the NIST special publication 800-171 is the perfect example of that. To keep sensitive information secure, NIST 800-171 compliance is a requirement for DoD contractors, but many contractors are still unsure about what compliance even looks like.
Find out here in this complete guide to NIST 800-171 compliance for Department of Defense contractors. We’ll cover some of the basics of the publication, why compliance is important, and what you need to do to become compliant (and stay that way).
What Is NIST 800-171?
NIST SP 800-171 is a special publication that was released by the National Institute of Standards and Technology, a government agency within the US Department of Commerce.
Another name for NIST 800-171 is Defense Federal Acquisition Regulation Supplement, or DFARS. The main goal of this document, titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is to lay out the necessary requirements for protecting Controlled Unclassified Information, or CUI.
Why NIST 800-171 Compliance Is Important
We’ve already mentioned the most prominent reason why complying with NIST requirements is important; cyber threats are more prevalent than ever, and many of these threats are directly targeted at the US government.
Another reason why it’s important to have a structured set of cybersecurity guidelines is that many contractors are unsure of how to adopt critical security best practices. This publication solves that problem by giving DoD contractors a precise set of standards to follow in order to adopt good cyber hygiene and safeguard CUI.
By complying with 800-171 standards, there’s more consistency across the board towards minimizing the risks of data breaches and protecting sensitive government information.
Who Must Comply with NIST 800 171
Any organization that processes, stores, or transmits CUI for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal and state agencies must meet the standards outlined in NIST 800-171.
This includes a wide range of companies and institutions in addition to defense contractors, like universities, research laboratories, manufacturers, consulting firms, and more. Even if there’s no direct relationship with the federal government, compliance is required any time CUI is in the equation.
When Is the NIST 800-171 Compliance Deadline?
The deadline for complying with NIST 800 171 became official on December 31st, 2017. As of that date, all DoD contractors are required to comply. This was made official in DFARS clause 252.204-7012 on Safeguarding Covered Defense Information and Cyber Incident Reporting.
Within that clause, it states: “The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.”
Main Requirements: NIST 800-171 Compliance Checklist
There are 2 main categories for complying with NIST 800-171. The first is safeguarding covered defense information, which highlights the steps for providing adequate security and lays out all the details for keeping CUI protected against cyber threats.
The second category is on cyber incident reporting, which gives information on the steps required for rapidly reporting cybersecurity incidents and data breaches. To comply with both of these categories, there are 14 key areas to cover within your internal systems:
- Access control: Limit access to CUI so only authorized individuals/devices have access.
- Awareness and training: Provide adequate awareness/training of cybersecurity risks and best practices to staff members.
- Auditing and accountability: The systems that you use should have an audit trail so that it’s possible to know who has accessed CUI.
- Configuration management: All software and hardware should have configurations with strong security measures.
- Identification and authentication: Identify the users, devices and processes that are trying to access your systems through identity authentication.
- Incident response: Implement an incident response plan that allows you to prepare for incidents, detect intrusions, contain the problem, document it, and report it to the DoD.
- Maintenance: All internal information systems should receive proper maintenance to keep everything up to date and properly protected against threats.
- Media protection: Any media with CUI needs proper protection.
- Personnel security: Everyone accessing CUI must go through a screening process.
- Physical protection: The physical location of the information systems with CUI needs to be kept secure to stop unauthorized on-site access.
- Risk assessment: Implement a risk assessment procedure and regularly use it to understand the cybersecurity risk factors that your organization faces.
- Security assessment: Evaluate whether the current cybersecurity measures are adequate or if they need updating based on the current threat environment.
- System and communications protection: The external and internal boundaries of your information systems need to be properly controlled, monitored and protected.
- System and information integrity: Protect your systems from malicious code, report and fix flaws in the system, and monitor security alerts for quick action when necessary.
Within these 14 areas, there are a total of 110 security controls to implement. Each of these controls is not just an option for contractors, it’s a requirement.
One of the more recent additions to NIST 800-171 is the DFARS 7020 Interim Rule. This rule requires contractors to submit an assessment score to the SPRS system along with a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
Penalties for Non-Compliance
Failing to meet NIST 800-171 certification standards can have a number of different consequences. The specific outcome for organizations who are noncompliant depends on a few things, like the scope of the data breach, the type of CUI involved, and whether or not you are seen as negligent to the way you go about IT security.
It’s possible that you could be banned or suspended from bidding on DoD contractors until you can prove that you have met compliance requirements. Even after complying, there’s a very good chance that your reputation will never bounce back.
From what we’ve covered so far, it’s completely normal to feel overwhelmed about your role with NIST 800-171 compliance. That’s why many DoD contractors have taken it upon themselves to outsource the job to NIST 800-171 consultants. This is the best NIST 800-171 compliance tool to have at your fingertips to become compliant and stay that way.
Get in touch with us today to receive a compliance review through a free consultation. We’ll discuss your cybersecurity needs and tell you all about VAAXA’s services for contractors still working towards meeting their NIST 800-171 compliance goals.