How to Ensure NIST 800-171 Subcontractor Compliance

By Eric Noonan • January 11, 2018

The December 31, 2017 deadline for creating a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms) aligned with NIST special publication 800-171 requirements has passed. If you are a DoD prime contractor, now it’s time to focus subcontractor compliance.

Subcontractor Compliance and CDI

DFARS 252.204-7012 (“the DFARS cyber clause”) compelled you to validate your own compliance status and address any cybersecurity gaps. As a prime, you have satisfied your in-house compliance obligations. Now it’s time to turn your attention to your subcontractors since the DFARS cyber clause must be flowed down to all suppliers or subcontractors that store, process and/or generate Covered Defense Information (“CDI”) as part of contract performance.

Keep in mind that CDI is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled technical information is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”

How to Ensure Subcontractor Compliance

Subcontractors can achieve compliance with the NIST 800-171 Rev. 1 requirements in a variety of ways including flow down of the 252.204-7012 clause in subcontract documents that contain detailed communication with the specific requirements of the DFARS cyber clause. This includes the mandate for subcontractors to:

  • Create an SSP and associated POA&Ms.
  • Fully implement the requirements outlined in the clause and NIST 800-171.
  • Report non-compliance to the DoD CIOs office within 30 days after contract award.
  • Report cyber incidents within 72 hours.
  • Formally flow down the DFARS cyber clause to all lower-tier suppliers/subcontractors storing, processing, and/or generating CDI.
  • Be in full compliance with the DFARS cyber clause.

Remember that as a prime contractor, you are ultimately liable for the compliance of your suppliers and subcontractors. Make sure the flow down of requirements and the validation of compliance is a formal, documented, and repeatable process.

Also, if you are using an existing Governance, Risk, and Compliance (GRC) technology for other regulatory compliance requirements, you should be able to extend its use to cover DFARS 252.204-7012 subcontractor compliance. If you don’t have an existing GRC solution consider these alternatives:

  • Partner with a Managed Security Services Partner (MSSP) that offers a compliance and reporting capability specific to NIST 800-171. Many of the required controls can be mapped back to managed service offerings to produce automated compliance reporting.
  • Work with your contracting organization to create and implement a process that can be incorporated into the existing contracting business cycle. Contracts staff already play a key role related to subcontractor compliance for other contract clauses and adding DFARS 252.204-7012 requirements should be a logical fit.

Bottom line: It’s the prime contractor’s obligation to flow down DFARS 252.204-7012 requirements to all suppliers or subcontractors. Planning for success now is imperative.

If you need help complying with NIST SP 800-171, contact us at sales@cybersheath.com

 

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO