Beyond SSP’s and POA&Ms; Successfully Implementing the NIST 800-171 Security Requirements

By Eric Noonan • June 18, 2019

The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DoD contractors scrambling to anticipate how to prepare (learn more about the CMMC announcement here). While there are many unknowns regarding what the CMMC will ultimately look like, DoD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently said that only 1% of the Defense Industrial Base has implemented the required controls.  “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Why are Contractors Delaying NIST 800-171 Implementation?

Across hundreds of NIST 800-171 implementations, CyberSheath has found the most common reason for delay by DoD contractors has come down to, “Who is going to pay for this?”

Arrington clearly spoke to that concern last week at an event sponsored by the Professional Services Council in Arlington, Virginia, saying “I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?”

After more than a decade of policy, law, memorandums and continued momentum towards enforcement businesses who continue to delay actual implementation of the 110 security requirements will be in a far worse position come January 2020 when the CMMC rolls out. Don’t wait, implement the NIST 800-171 security requirements in a way that is actionable, measurable and audit ready.

Beyond Your SSP’s and POA&Ms

Compliance with the DFARS and NIST requirements involves much more than writing a SSP’s and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem. Implementing security requirements like multifactor authentication, incident response, encryption and more require thoughtful decisions leveraging what you already own. For the gaps identified in your existing people, processes, and technologies a product purchase, if required, needs to be part of the larger plan to achieve compliance. Too often businesses are over-sold on silver bullet product purchases that aren’t thoughtfully integrated into a system of documented and repeatable control implementation.

5 Steps to DFARS Compliance

To enable compliance as a documented, automated outcome of day-to-day operations download our 5 Steps to DFARS Compliance Guide. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. Act now to move from thinking about implementation to taking action towards full compliance.



Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft