Beyond SSP’s and POA&Ms; Successfully Implementing the NIST 800-171 Security Requirements

By Eric Noonan • June 18, 2019

The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DoD contractors scrambling to anticipate how to prepare (learn more about the CMMC announcement here). While there are many unknowns regarding what the CMMC will ultimately look like, DoD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently said that only 1% of the Defense Industrial Base has implemented the required controls.  “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Why are Contractors Delaying NIST 800-171 Implementation?

Across hundreds of NIST 800-171 implementations, CyberSheath has found the most common reason for delay by DoD contractors has come down to, “Who is going to pay for this?”

Arrington clearly spoke to that concern last week at an event sponsored by the Professional Services Council in Arlington, Virginia, saying “I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?”

After more than a decade of policy, law, memorandums and continued momentum towards enforcement businesses who continue to delay actual implementation of the 110 security requirements will be in a far worse position come January 2020 when the CMMC rolls out. Don’t wait, implement the NIST 800-171 security requirements in a way that is actionable, measurable and audit ready.

Beyond Your SSP’s and POA&Ms

Compliance with the DFARS and NIST requirements involves much more than writing a SSP’s and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem. Implementing security requirements like multifactor authentication, incident response, encryption and more require thoughtful decisions leveraging what you already own. For the gaps identified in your existing people, processes, and technologies a product purchase, if required, needs to be part of the larger plan to achieve compliance. Too often businesses are over-sold on silver bullet product purchases that aren’t thoughtfully integrated into a system of documented and repeatable control implementation.

5 Steps to DFARS Compliance

To enable compliance as a documented, automated outcome of day-to-day operations download our 5 Steps to DFARS Compliance Guide. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. Act now to move from thinking about implementation to taking action towards full compliance.



CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO