Cut Through the Confusion in Complying with NIST 800-171 Rev. 1
It’s time to demonstrate compliance with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1 (NIST 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.
There is No Excuse for Non-compliance
Originally Department of Defense (DoD) primes and subcontractors had until December 31, 2017, to demonstrate compliance with NIST 800-171. Recently, however, Ellen Lord, the defense undersecretary for acquisition, technology, and logistics told the Senate Armed Services Committee offered a bit of conflicting information. “We said that clearly, the only requirement for this year is to lay out what your plan is,” she said at the December 7th hearing. “That can be a very simple plan. We can help you with that plan. We can give you a template for that plan. Then just report your compliance with it.”
Bear in mind that those words are not an indication of all prevailing thoughts on the matter. Indeed, that guidance was contradicted by a Pentagon spokesman who said the change should not be considered a delay in the deadline since contractors must still document by December 31st how they will implement the new rules.
The clear takeaway is: This requirement for doing business with the DoD isn’t going away. Given the years of delays and widely available information regarding the requirements, there will be no excuse for non-compliance. The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance which articulates how compliance will be factored into acquisition which we explain here: http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/
4 Steps to Compliance with NIST 800-171
Note that these steps are not simple – you’ve got to put in the work to get the results. Another tip: Ignore vendors who are trying to sell you a product to easily achieve compliance, as such a solution does not exist. Many of the 110 controls of the NIST standard deal with the process – and how you implement the controls will be unique to your business.
To stay competitive in the DoD acquisition process and comply with NIST 800-171, you should (immediately):
- Assess current operations for compliance with NIST 800-171. – Starting with a gap assessment of your current people, process, and technology against compliance with NIST 800-171 is a useful step in achieving compliance. When done correctly an assessment will:
- Directly link to Control 3.12.1 of NIST 800-171 which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
- Give you a clear view of your current compliance with the remaining controls.
- Generate a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.
- Write your SSP & POA&Ms – NIST 800-171 was revised (Revision 1) in December 2016 to require a “system security plan (SSP)” and associated “plans of action (POA&Ms)”. Initially, your SSP will be an aspirational document as you will find that many of the required 110 NIST SP 800-171 controls are not fully implemented in your environment. Your POA&Ms will detail your plans to remediate deficiencies and achieve compliance. The requirements are:
- Security Requirement 3.12.4 (System Security Plan, added by NIST 800-171), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
- Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
- Note that these plans can be documented in a variety of formats but at a minimum, they should detail:
- The deficiency identified
- The plan to correct the deficiency (people, process, and/or technology)
- Dates by which you intend to be compliant against the specific deficiency
- Implement the required controls – Execute your POA&M’s and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and if you are using only internal resources remember they all already have day jobs so set your expectations accordingly. If you work with a third party to implement the controls look for the following expertise:
- Have they implemented the NIST 800-171 controls for similar-sized businesses?
- Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
- Ask for and check references.
- Maintain Compliance – If you have made it this far, congratulations! Now plan for ongoing compliance in a way that achieves the following:
- Documented and automated compliance reporting
- Support Request for Proposal (RFP) and other acquisition-related business development activities
- Ongoing operational expense related to maintaining compliance
Compliance is a Journey – and Not a Destination
Your SSP will need to be updated as your business changes and specific control implementations need to be continually validated. If you have a Managed Security Services Partner (MSSP), have them map the work they do back to NIST 800-171 compliance for the appropriate controls and modify your contract to provide for periodic reporting. For the controls maintained by in-house staff, automate control validation and reporting so that you can demonstrate compliance on a real-time basis.
Achieving NIST 800-171 compliance isn’t easy but the process doesn’t have to be complicated. If you need help staying competitive with this DoD mandate, Contact Us at firstname.lastname@example.org.