Calling Industries Bluff: The DoD Emergency Action on NIST 800-171 Compliance
The Department of Defense (DoD) has instituted an emergency action, possibly to confirm what is widely already known on cybersecurity compliance among the defense industrial base (DIB). Self-certification for defense contractors has enabled “barely there” cybersecurity unless you are one of the small number of contractors who took it seriously.
The action, approved by the Office of Information and Regulatory Affairs (OIRA), requires offerors and contractors to assess their compliance with DFARS clause 252.204-7012 and NIST 800-171. All offerors and contractors must submit a basic self-assessment, or a medium or high assessment conducted by DoD assessors. Details are scarce and connection to the Cybersecurity Maturity Model Certification (CMMC) is anyone’s guess, but for contractors who have previously self-certified as compliant but not actually implemented the controls, this could be problematic, to say the least.
The DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along. This emergency rule isn’t just a call to action. It’s the DoD calling the DIB’s bluff. If anyone doubted the seriousness of the DoD’s efforts to avert data loss, this emergency action should be evidence enough that they want the data to confirm or refute claims of compliance.
Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts. Many contractors kept waiting for the “cyber police” to show up and when they never came it was largely business as usual. The cyber police are here and it’s time to get your house in order.
Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance if/when that it arrives. If it never arrives, an unlikely outcome, you will at least have met your current contractual obligations.
So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance.
Follow our five-step process for success:
1. Assess current operations for compliance with NIST 800-171.
Start with a gap assessment of your current people, processes, and technology against compliance with NIST 800-171. This assessment will:
- Directly link to Control 3.12.1 of NIST 800-171, which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
- Give you a clear view of your current compliance with the remaining controls.
- Generate a System Security Plan (SSP) and associated Plan of Actions & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.
2. Write your SSP.
NIST 800-171, Revision 1, requires contractors to develop, document, and periodically update SSPs that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Initially, your SSP will be an aspirational document. You’ll find that many of the 110 required NIST SP 800-171 controls are not fully implemented in your environment. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.
3. Document your POA&Ms.
Also a requirement of NIST 800-171, Revision 1, your POA&Ms will detail your plans to correct deficiencies, reduce or eliminate vulnerabilities, and achieve compliance.
These plans can be documented in a variety of formats, but at a minimum, they should detail:
- The deficiency identified
- The plan to correct the deficiency (people, processes, and/or technology)
- Dates by which you intend to be compliant against the specific deficiency
Well-documented POA&Ms will enable eventual mapping to CMMC maturity levels.
Note that SSPs and POA&Ms can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained.
4. Implement the required controls.
Execute your POA&Ms and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and depending on your resources, you can benefit from working with a third party to implement the controls.
If you’re looking for an effective partner, make sure to ask the following questions:
- Have they implemented the NIST 800-171 controls for similar-sized businesses?
- Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
- Can they provide several references?
5. Maintain Compliance.
Once you’ve made it this far, it’s time to plan for ongoing compliance. You’ll need to achieve the following:
- Documented and automated compliance reporting
- Support Request for Proposal (RFP) and other acquisition-related business development activities
- Ongoing operational expense related to maintaining compliance
For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on noncompliance. As we look ahead to CMMC, taking action now will put you in a better position when the next action arrives.