NIST 800-171r3 Compliance

The Department of Defense, in conjunction with various federal agencies, have implemented an entirely new approach for safeguarding data. This approach is designed for government contractors. It instructs them as to how they should:

• Safeguard special kinds of data that exist throughout the contract fulfillment process
• Report breaches of their systems to the DoD
• Fix any shortfalls in the security of their systems

If you hold a contract with the DoD, or are fulfilling part of that contract on behalf of another contracting agency, these regulations apply to you.

SP 800-171r3 was established by the National Institute of Standards and Technology (NIST) as a set of guidelines and best practices to protect the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems. Derived from NIST SP 800-53, NIST SP 800-171r3 consists of 17 control families including:

• Access Control: Limiting access of CUI to only authorized individuals and devices.
• Awareness and Training: Training your employees on how to detect and respond to cyber incidents. 
• Audit and Accountability: An audit trail that holds individuals accountable for data access and to know who had accessed CUI.
• Configuration Management: Software and hardware has configurations that focus on strong security measures. 
• Identification and Authentication: Identifying the users, devices and processes that are trying to access your systems and authenticate their identities.
• Incident Response: Establish and maintain an incident response capability to detect, respond to, and recover from cybersecurity incidents, including reporting incidents to appropriate authorities and analyzing them to prevent future occurrences.
• Maintenance: Systems need to receive proper maintenance to keep everything up to date and properly protected. 
• Media Protection: Media with CUI needs proper protection, access control and processes to sanitize or destroy it.
• Personnel Security: Everyone accessing CUI must go through a screening process and there needs to be a process when employees leave or are fired.  
• Physical and Environmental Protection: The physical location of IT needs to have security to stop unauthorized access on-site. 
• Risk Assessment: Identify and assess cybersecurity risks to the confidentiality, integrity, and availability of their systems and data, and implement appropriate risk responses to mitigate potential threats.
• Security Assessment and Monitoring: Assess and monitor the effectiveness of their security controls and systems to ensure they remain effective in safeguarding sensitive information.
• System and Communications Protection: The external and internal boundaries of your information systems need to be properly controlled, monitored and protected.
• System and Information Integrity: Protecting your systems from malicious code, find, report and fix flaws in information systems, and monitor security alerts to take action quickly.
• Planning: Develop, implement, and maintain security plans that address the necessary controls to protect Controlled Unclassified Information (CUI) throughout its lifecycle.
• System and Services Acquisition: Incorporate security requirements into the acquisition process for systems, services, and contractors to ensure that security is integrated from the outset.
• Supply Chain Risk Management: Assess and manage risks associated with their supply chains, ensuring that security requirements are met by suppliers and vendors to prevent risks to the integrity of CUI.

The Department of Defense (DoD) has implemented a number of cybersecurity controls and practices through different policies and clauses, which includes DFARS 252.204-7012. This clause requires you, as the contractor, to follow the guidelines specified within NIST SP 800-171r3 to safeguard information systems that are used to process, store, or transmit CUI.

CUI refers to unclassified information that may be deemed sensitive and/or protected from public disclosure. CUI’s categorization includes many types of information including defense information, also known as Covered Defense Information or CDI. Defense information such as technical drawings, datasheets, designs specs, or manuals can all be considered as CUI or CDI.

The federal government is coming at this from several angles, including:

• New DFARS clauses in your contracts
• New laws that govern liability protections for government contractors
• New rules for how quickly you must report breaches to the DoD
• A written standard for security practices in your organization

The latest revision is expected to be included in contracts in late 2024 or early 2025. If you are pursuing a DoD contract, you will need to meet these regulations before it can be granted.

Here’s the best way to think of it: the contract clauses determine the standard you must follow. The standards (defined in the DFARS clauses) require that certain proofs of compliance or timely reports be submitted to your contracting officer, prime contractor, and/or the DoD CIO. Not following those standards can result in liability protections (afforded to you as a federal contractor) being lifted, which would expose you to criminal, civil, or administrative action.

The presence of certain Defense and Federal Acquisition Regulation Supplement (DFARS) clauses in your contracts inform you that you must indeed follow these new procedures as a defense contractor.

Some of the most common are:

DFARS 252.204-7008: By submitting a bid for this contract, you are committing to implement a new data security standard (NIST Special Publication 800-171r3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”) within 30 days of being awarded the contract.

DFARS 252.204-7009: The controlled data you receive from the government can only be used for government contracting purposes. You must also make sure that your subcontractors understand and agree to this restriction.

DFARS 252.239-7009: You must tell the federal government if you plan on using cloud computing while fulfilling the contract.

DFARS 252.204-7012: This is the big clause. If this clause is found in your contract, then you must do the following:

• Adhere to all of the requirements found in NIST SP800-171r3 within 30 days of being awarded the contract.
• If you cannot meet a particular requirement in NIST SP800-171r3, you must request permission to vary from the standard. This request is submitted to your contracting officer and the DoD CIO.
• Any cloud services used to fulfill this contract must meet security requirements equivalent to those found in FedRAMP certifications for cloud service providers. These cloud providers must also follow the security and reporting guidelines found in this clause.
• You must report any cyber incidents to the DoD within 72 hours, using a medium assurance certificate for encrypted communications. You must also cooperate with the DoD in their investigation of the incident.
• You must enforce similar strategies amongst your own subcontractors, gaining approval for their organizations to vary from the NIST SP800-171r3 standards, and making sure that cyber incidents are properly reported.

Some prime contractors are asking for proof of compliance before you can bid on new contracts. The federal government (and contracting officers) are requiring proof of compliance within 30 days of contract award.

Proof of compliance consists of three key documents:

1. A system security plan. This document outlines the systems in your organization that collect, store, and transmit CUI. It will also show (usually as a diagram), how all those systems interconnect, and what their boundaries are. Finally, the document will contain an item-by-item list of all 110 NIST SP800-171r3 requirements, and a statement regarding your compliance with that requirement.
2. A plan of action and milestones. For any areas where your organization is not compliant, you will describe how you will become compliant, or whether particular standards don’t apply to you. It’s important to note that you can still receive contract awards without being fully compliant, provided that your contracting officer accepts your plan of action, and the DoD CIO accepts any variances from the compliance standards.
3. An incident response plan. This document will demonstrate that your organization has the ability to detect, mitigate, and report a cyber-incident to the DoD within the 72-hour timeline required by the DFARS clauses.
4. Submission of Compliance Score. You must submit your NIST SP 800-171r3 compliance score to the SPRS system.

The primary commitment of any organization meeting these compliance standards will be the time spent by their personnel. Even with the help of professionals, the organization will need to provide executive sponsorship, a team of operations, HR, and IT professionals, and must work towards a thorough understanding of the standards outlined in DFARS clauses.

From a financial perspective; the costs of becoming compliant will vary greatly. Most small businesses we’ve met with have spent between $60,000 and $100,000 to become compliant. We’ve also helped some very small contractors achieve compliance for under $10,000, with ongoing costs of only a few thousand dollars per year.

The costs associated with becoming compliant scale based on several factors:

• The size and complexity of the organization
• The number of systems that collect, store, and transmit CUI
• Any previous compliance efforts (ISO, ITAR, etc) which have accustomed the organization to compliance efforts
• The presence of key technology investments (such as a domain network, strong Active Directory design, a next-generation firewall, etc) which can be adjusted, rather than replaced
• Written policies, procedures, and response plans

Ultimately, an organization needs to make a long-term commitment to meet these standards, and to incorporate strong security practices into their culture.

The first thing you should determine is whether you even want to fulfill defense contracts. Many organizations began government contracting as a way to diversify their revenue streams. That’s still a valid reason, but companies need to decide if they’re in a position to dedicate the time and resources towards meeting the standards that are defined in these clauses, and still be profitable.

Next, you should map the presence of CUI in your organization, and determine how many of your systems, applications, and users are involved in processes that contain CUI. This will help you to understand whether CUI is pervasive throughout your organization, or whether it is contained within a few systems or user groups.

Once you have a scope of CUI-related environments, you can decide whether you should apply the new standards to a controlled subset of your business, or across the entire organization. Understanding the “scope of standards” will allow you to scale your expectations for the commitment of time and resources required to continue government contracting.

Brightline can assist with these steps. We will apply our experience in meeting NIST SP800-171r3 requirements for cybersecurity to your business which can shorten the overall process for becoming compliant. We offer the following services to jump start or lead your organization towards compliance.

Our Initial Engagement will provide you with information regarding DFARS, DFARS clauses, and the NIST SP800-171r3 standard and required documentation for you to meet your initial compliance.

With our Program Management, we take on the role of Compliance Specialist for your company. We provide on-going guidance and direction for implementing technical solutions to satisfy and maintain full compliance with NIST SP800-171r3.

Current DoD suppliers must have posted a NIST SP 800-171r3 adherence score in the U.S. Government’s Supplier Performance Risk System (SPRS), which requires a client to generate a System Security Plan and include a POAM (if necessary). This score is required by DFARS rule 252.204-7019.

While the CMMC Final Rule making process is ongoing, businesses intending to work with the DoD must perform a self-assessment in order to determine their Supplier Performance Risk System (SPRS) score. The SPRS score must be accurate, as there are penalties if a business claims a score and then fails to meet those standards under audit.