In the past, the US government hasn’t been shy about criticizing government contractors’ lack of compliance with cybersecurity regulations. Since things have shifted drastically within the past few decades and our cybersecurity is more at risk than ever, the federal government has felt the need to make changes.
A big part of that change came in the form of a special publication released by the National Institute of Standards and Technology called NIST 800-171. This original publication was released in 2015 with the goal of increasing and improving cybersecurity across government agencies, including the Department of Defense.
Complying with NIST 800-171 is a requirement for all DoD contractors. Not adhering to it doesn’t just mean you’re practicing poor cybersecurity methods; it means you risk losing out on current and future contracts.
To ensure compliance, learn all about the current requirements set in place by the NIST 800-171 – as well as the new Interim Rule – in this complete guide to what it is and what it means for government contractors.
First, Some Background Information…
Before getting into the details of NIST 800-171, it’s important to get some background information in order to better understand NIST 800-171 controls. The first thing that needs explaining is the acronym DFARS, which is short for Defense Federal Acquisition Regulation Supplement.
DFARS is a clause (more officially known as DFARS 252.204-7012) released in 2017 that requires contractors to meet a new set of security requirements that was originally set in place by NIST 800-171.
Next up comes the Cybersecurity Maturity Model Certification. Because cybersecurity is a greater concern than ever, the DoD has laid out a brand new foundation by creating a model for evaluating and assessing contractors’ cybersecurity practices. This model is the CMMC, and it is an expansion of DFARS 252.204-7012.
Lastly comes CUI, which is short for Controlled Unclassified Information. CUI is a big part of the NIST 800-171 equation; in fact, the entire premise behind this publication is to protect CUI, which is “unclassified information requiring protection as identified in a law, regulation, or government-wide policy.”
Although it’s not strictly regulated by the federal government, CUI is sensitive and relevant to the interests of the United States government as well as contractors. Because of its potentially sensitive nature, handling CUI requires certain controls for keeping it safe, and that’s where NIST 800-171 comes into play.
What Is NIST SP 800-171?
NIST 800-171 is short for National Institute of Standards and Technology Special Publication 800-171. This publication was developed after the Federal Information Security Management Act of 2003, making necessary changes to the cybersecurity framework.
The goal of NIST 800-171 is to define how to safeguard and distribute sensitive (but not classified) information, which you now better know as CUI. It was described as a “national imperative” to make these changes since security breaches are more prevalent than ever, and many of these breaches threaten the US government and its citizens.
In short, this is a set of standards that is meant to provide guidance for non-federal organizations on the protection of CUI. It clarifies contractors’ roles on things like data breach incidents and gives guidance on ways to protect data and prevent breaches in the future.
The Progression of NIST 800-171
Even though NIST 800-171 is considered relatively new, the requirements laid out within it are not actually all that new. Before NIST 800 171 there was Executive Order 13556, which laid the future foundation for 800-171.
The original version of NIST 800-171 was released in 2015, but since then some revisions have been made. That’s no surprise since cybersecurity and cyber threats are constantly changing, so obviously, regulations surrounding them will as well.
NIST SP 800 171A & 800-171B
In addition to the publication itself, there is also additional information in the form of NIST SP 800 171A and 800-171B (Draft) publications. With 800 171A, the focus is “Assessing Security Requirements for Controlled Unclassified Information”, and the official document states:
“This publication provides federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171…”
800-171B is still being drafted. According to the current draft, “this publication provides federal agencies with recommended enhanced security requirements for protecting the confidentiality of CUI.” This will provide an enhanced set of requirements to supplement the original 800-171 special publication.
NIST SP 800-171 Revision 1 vs 800-171 Rev 2
Like any government document, NIST 800-171 has undergone some revisions. The most up-to-date version is 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which was revised and released in February 2020.
Before that was NIST SP 800-171 Revision 1, and with Revision 2, updated guidance was provided on how to secure CUI with minor editorial changes. Nothing major changed between the two; it was mostly just slight adjustments to things like glossary, references, etc.
Who Must Comply with NIST 800-171?
NIST compliance is mainly intended for companies who work within the supply chain of the federal government. This includes prime contractors and subcontractors as well as subcontractors working with other subcontractors. For these people, compliance is 100% mandatory.
One thing to note is that even companies not within the federal supply chain can benefit from complying with NIST standards. This publication is known for providing effective security practices for protecting business data, and that’s what every organization should aim for – even those not directly affiliated with the US government.
What Is the NIST 800-171 Interim Rule?
In the official published government document, it’s stated that the “DoD is issuing an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.”
This rule has 2 major effects on DoD contractors. The first is that it paved the way for CMMC, which will be phased in over the next 5 years until it becomes a full-on requirement in 2026. This is stated in clause DFARS 252.204-7021, “Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement”, which contains all the CMMC requirements.
The next big change made by this rule is that it now requires contractors to undergo assessments, which will determine whether or not compliance with NIST 800-171 is being met.
Interim Rule officially became a requirement for federal contractors on November 30, 2020. Not adhering to it doesn’t just mean you’re practicing poor cybersecurity methods; it means you risk losing out on current and future contracts.
Interim Rule Effects on the CMMC Framework
In terms of the underlying requirements already embedded in the CMMC framework that has been developing for over a year, the Interim Rule hasn’t changed anything. Everything that has already been laid out by the model’s Accreditation Body and DoD remains the same, like:
- It’s a third-party certification model for contractors to determine maturity when it comes to cybersecurity practices.
- It is comprised of 5 Levels, ranging from basic to advanced maturity.
- Contractors will be required to obtain the right CMMC maturity level to be eligible to compete for contracts.
About the New NIST 800-171 Assessment Requirement
While the Interim Rule’s effects on CMMC implementation are moving at a slow pace, the effects were much more immediate on the new assessments required for contractors.
There are 3 assessment levels – Basic, Medium, and High. Basic assessments are meant to be completed by the contractor and then submitted to the DoD. For the more intensive Medium and High assessment levels, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) performs those.
To perform the assessment, DoD’s NIST SP 800-171 Assessment Methodology is used, which is a 110-point scale determining how well a contractor is adhering to each of the controls laid out in NIST 800-171.
What This All Means for DoD Contractors
As of right now, the DFARS 252.204-7021 clause on CMMC requirements only applies to a limited number of contractors. As each year goes by, more and more contracts with prime contractors and their subcontractors will contain CMMC requirements. Eventually (by 2026), it will apply to all contracts. Since it is unknown when your position in the defense supply chain will get CMMC requirements, it’s best to get prepared for reaching the necessary CMMC level early on, and a great way to do that is through customized CMMC services.
For the 800-171 assessment process, this rule is in full effect today and has been since November 2020. Contractors who fail to perform assessments and submit scores will no longer be eligible for bidding on or receiving contracts. It is also equally important to submit accurate scores and avoid fines due to The False Claims Act.
We covered a lot of information here today – everything from DFARS clauses to CMMC basics to NIST 800-171 history. Nobody expects you to be an expert on these things, but you do have to adhere to the changing NIST regulations in order to stay compliant with the DoD. Get in touch today to receive expert-level help from a team of cybersecurity specialists at VAAXA.