Are You Fully Compliant with DoD’s New Cybersecurity Standards?

By Eric Noonan • June 5, 2018

The December 31, 2017 deadline for achieving compliance with NIST 800-171 has come and gone. If you’re still not compliant, you’re at risk for penalties, and chances of winning future contracts and bids are at great risk. The good news is it’s not too late!

It’s understandable if you haven’t yet actually implemented the required NIST 800-171 security requirements. In the past, the DOD permitted businesses to choose a future date for implementing required security controls through the Plan of Actions & Milestones (POA&M) policy. As a result, businesses and organizations used POA&M merely as a simple checkbox system, which led to weak System Security Plans and stalled control implementations. Today, the DOD has upped their game by insisting on stronger cybersecurity practices among its business partners. They’ve moved to an enforcement phase for cybersecurity compliance and requirements with recently released DoD Guidance.

On April 24th, 2018 the U.S. Department of Defense released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts.

Failure to Implement the Required NIST 800-171 Controls will Lead to Lost Bids, Vendors and Revenue

For the best chances of new contract awards and superior contract performance in the competitive cybersecurity market, you need to implement the Security Controls and heightened information security requirements as outlined in NIST SP 800-171.

NIST has a set of 110 security requirements that stem from the NIST SP 800-53, which governs the cybersecurity standards for government systems. The new guidance was also designed to help businesses assess and prioritize the most effective ways for them to begin implementing these crucial 110 security controls specified in NIST SP 800-171.

The DOD has a new tactic for reviewing SSPs and security requirements not yet implemented, which is to assign risk scores to controls. For example, security controls that are considered high risk and haven’t been implemented pose an extremely high risk to the data being protected and your ability to win DoD contracts.

Security controls that haven’t been implemented are given a DOD Risk Value for each security requirement that ranges from the highest, which is 5 (highest risk and priority for implementation) to 1 (lowest risk and priority for implementation).

If you don’t meet the 110 security requirements, it will likely lead to losing potential contracts through poorly written SSPs and high-risk scores resulting from a failure to implement the required controls.

Relax. We’ve Got This!

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft