Cut Through the Confusion in Complying with NIST 800-171 Rev. 1

By Eric Noonan • December 26, 2017

It’s time to demonstrate compliance with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1 (NIST 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.

There is No Excuse for Non-compliance

Originally Department of Defense (DoD) primes and subcontractors had until December 31, 2017, to demonstrate compliance with NIST 800-171. Recently, however, Ellen Lord, the defense undersecretary for acquisition, technology, and logistics told the Senate Armed Services Committee offered a bit of conflicting information. “We said that clearly, the only requirement for this year is to lay out what your plan is,” she said at the December 7th hearing. “That can be a very simple plan. We can help you with that plan. We can give you a template for that plan. Then just report your compliance with it.”

Bear in mind that those words are not an indication of all prevailing thoughts on the matter. Indeed, that guidance was contradicted by a Pentagon spokesman who said the change should not be considered a delay in the deadline since contractors must still document by December 31st how they will implement the new rules.

The clear takeaway is: This requirement for doing business with the DoD isn’t going away. Given the years of delays and widely available information regarding the requirements, there will be no excuse for non-compliance. The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance which articulates how compliance will be factored into acquisition which we explain here: http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/

4 Steps to Compliance with NIST 800-171

Note that these steps are not simple – you’ve got to put in the work to get the results. Another tip: Ignore vendors who are trying to sell you a product to easily achieve compliance, as such a solution does not exist. Many of the 110 controls of the NIST standard deal with the process – and how you implement the controls will be unique to your business.

To stay competitive in the DoD acquisition process and comply with NIST 800-171, you should (immediately):

  1. Assess current operations for compliance with NIST 800-171. – Starting with a gap assessment of your current people, process, and technology against compliance with NIST 800-171 is a useful step in achieving compliance. When done correctly an assessment will:
    • Directly link to Control 3.12.1 of NIST 800-171 which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
    • Give you a clear view of your current compliance with the remaining controls.
    • Generate a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.
  1. Write your SSP & POA&Ms – NIST 800-171 was revised (Revision 1) in December 2016 to require a “system security plan (SSP)” and associated “plans of action (POA&Ms)”. Initially, your SSP will be an aspirational document as you will find that many of the required 110 NIST SP 800-171 controls are not fully implemented in your environment. Your POA&Ms will detail your plans to remediate deficiencies and achieve compliance. The requirements are:
    • Security Requirement 3.12.4 (System Security Plan, added by NIST 800-171), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
    • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
    • Note that these plans can be documented in a variety of formats but at a minimum, they should detail:
      • The deficiency identified
      • The plan to correct the deficiency (people, process, and/or technology)
      • Dates by which you intend to be compliant against the specific deficiency
  2. Implement the required controls  – Execute your POA&M’s and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and if you are using only internal resources remember they all already have day jobs so set your expectations accordingly. If you work with a third party to implement the controls look for the following expertise:
    • Have they implemented the NIST 800-171 controls for similar-sized businesses?
    • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
    • Ask for and check references.
  3. Maintain Compliance – If you have made it this far, congratulations! Now plan for ongoing compliance in a way that achieves the following:
    • Documented and automated compliance reporting
    • Support Request for Proposal (RFP) and other acquisition-related business development activities
    • Ongoing operational expense related to maintaining compliance

Compliance is a Journey – and Not a Destination

Your SSP will need to be updated as your business changes and specific control implementations need to be continually validated. If you have a Managed Security Services Partner (MSSP), have them map the work they do back to NIST 800-171 compliance for the appropriate controls and modify your contract to provide for periodic reporting. For the controls maintained by in-house staff, automate control validation and reporting so that you can demonstrate compliance on a real-time basis.

Achieving NIST 800-171 compliance isn’t easy but the process doesn’t have to be complicated. If you need help staying competitive with this DoD mandate, Contact Us at sales@cybersheath.com.

 

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security