NIST Compliance FAQ
Your guide to the NIST SP800-171 regulations.
Your guide to the NIST SP800-171 regulations.
In recent years, the Department of Defense, along with several other federal agencies, have grown increasingly concerned about the state of information security within the non-federal systems and organizations with which it does business. While many businesses fulfill contracts with the DoD without handling classified information, even unclassified documents can be sensitive enough to pose a risk to information security.
Responding to these concerns, the National Institute of Standards and Technology issued a series of regulatory guidelines designed to help businesses contracting with the federal government better protect this sensitive data. These protocols are known as NIST SP 800–171.
Businesses who intend to continue fulfilling DoD contracts—as well as those who hope to fulfill such contracts in the future—must meet these standards to qualify. Achieving NIST SP 800–171 compliance will also help businesses prepare for Cybersecurity Maturity Model Certification (CMMC) requirements.
If your business intends to continue fulfilling DoD contracts, we’ve assembled a list of FAQs to help you understand these regulations and what they mean for your business.
The Department of Defense, in conjunction with various federal agencies, have implemented an entirely new approach for safeguarding data. This approach is designed for government contractors. It instructs them as to how they should:
If you hold a contract with the DoD, or are fulfilling part of that contract on behalf of another contracting agency, these regulations apply to you.
SP 800-171 was established by the National Institute of Standards and Technology (NIST) as a set of guidelines and best practices to protect the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems. Derived from NIST SP 800-53, NIST SP 800-171 consists of 14 control families including:
The Department of Defense (DoD) has implemented a number of cybersecurity controls and practices through different policies and clauses, which includes DFARS 252.204-7012. This clause requires you, as the contractor, to follow the guidelines specified within NIST SP 800-171 to safeguard information systems that are used to process, store, or transmit CUI.
CUI refers to unclassified information that may be deemed sensitive and/or protected from public disclosure. CUI’s categorization includes many types of information including defense information, also known as Covered Defense Information or CDI. Defense information such as technical drawings, datasheets, designs specs, or manuals can all be considered as CUI or CDI.
The federal government is coming at this from several angles, including:
These new mechanisms went into effect on December 31st, 2018. If you are pursuing a DoD contract, you will need to meet these regulations before it can be granted.
Here’s the best way to think of it: the contract clauses determine the standard you must follow. The standards (defined in the DFARS clauses) require that certain proofs of compliance or timely reports be submitted to your contracting officer, prime contractor, and/or the DoD CIO. Not following those standards can result in liability protections (afforded to you as a federal contractor) being lifted, which would expose you to criminal, civil, or administrative action.
The presence of certain Defense and Federal Acquisition Regulation Supplement (DFARS) clauses in your contracts inform you that you must indeed follow these new procedures as a defense contractor.
Some of the most common are:
DFARS 252.204-7008: By submitting a bid for this contract, you are committing to implement a new data security standard (NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”) within 30 days of being awarded the contract.
DFARS 252.204-7009: The controlled data you receive from the government can only be used for government contracting purposes. You must also make sure that your subcontractors understand and agree to this restriction.
DFARS 252.239-7009: You must tell the federal government if you plan on using cloud computing while fulfilling the contract.
DFARS 252.204-7012: This is the big clause. If this clause is found in your contract, then you must do the following:
Some prime contractors are asking for proof of compliance before you can bid on new contracts. The federal government (and contracting officers) are requiring proof of compliance within 30 days of contract award.
Proof of compliance consists of three key documents:
The primary commitment of any organization meeting these compliance standards will be the time spent by their personnel. Even with the help of professionals, the organization will need to provide executive sponsorship, a team of operations, HR, and IT professionals, and must work towards a thorough understanding of the standards outlined in DFARS clauses.
From a financial perspective; the costs of becoming compliant will vary greatly. Most small businesses we’ve met with have spent between $60,000 and $100,000 to become compliant. We’ve also helped some very small contractors achieve compliance for under $10,000, with ongoing costs of only a few thousand dollars per year.
The costs associated with becoming compliant scale based on several factors:
Ultimately, an organization needs to make a long-term commitment to meet these standards, and to incorporate strong security practices into their culture.
The first thing you should determine is whether you even want to fulfill defense contracts. Many organizations began government contracting as a way to diversify their revenue streams. That’s still a valid reason, but companies need to decide if they’re in a position to dedicate the time and resources towards meeting the standards that are defined in these clauses, and still be profitable.
Next, you should map the presence of CUI in your organization, and determine how many of your systems, applications, and users are involved in processes that contain CUI. This will help you to understand whether CUI is pervasive throughout your organization, or whether it is contained within a few systems or user groups.
Once you have a scope of CUI-related environments, you can decide whether you should apply the new standards to a controlled subset of your business, or across the entire organization. Understanding the “scope of standards” will allow you to scale your expectations for the commitment of time and resources required to continue government contracting.
Brightline can assist with these steps. We will apply our experience in meeting NIST SP800-171 requirements for cybersecurity to your business which can shorten the overall process for becoming compliant. We offer the following services to jump start or lead your organization towards compliance.
Our Initial Engagement will provide you with information regarding DFARS, DFARS clauses, and the NIST SP800-171 standard and required documentation for you to meet your initial compliance.
With our Program Management, we take on the role of Compliance Specialist for your company. We provide on-going guidance and direction for implementing technical solutions to satisfy and maintain full compliance with NIST SP800-171.
Current DoD suppliers must have posted a NIST SP 800-171r2 adherence score in the U.S. Government’s Supplier Performance Risk System (SPRS), which requires a client to generate a System Security Plan and include a POAM (if necessary). This score is required by DFARS rule 252.204-7019.
While the CMMC Final Rule making process is ongoing, businesses intending to work with the DoD must perform a self-assessment in order to determine their Supplier Performance Risk System (SPRS) score. The SPRS score must be accurate, as there are penalties if a business claims a score and then fails to meet those standards under audit.