Understanding NIST 800-171 Impact on Acquisition

January 17, 2023 / Compliance, Cybersecurity, DFARS, NIST 800-171 / By

As a contractor, you need to safeguard covered defense information that is processed or stored on your internal information system or network.

To stay in the running for work from your primes, you need to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. You have until December 31, 20 I 7 to implement NIST SP 800-171.

How will non-compliance with NIST SP 800-171 impact contractors’ future acquisition?

On September 21, 2017, The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance for acquisition personnel in anticipation of the December 31, 2017 deadline, which:

  • Outlines how contractors might implement NIST SP 800-171.
  • Addresses how a contractor may use a system security plan to document the implementation of the NIST SP 800-171 security requirements.
  • Describes how DOD organizations might choose to leverage the contractor’s system security plan (SSP), and any associated plans of action, in the contract formation, administration, and source selection processes.

To not jeopardize future opportunities, contractors should focus on developing a well-written SSP and associated Plan of Action and Milestones (POA&M) to achieve compliance.

What are the SSP and POA&M requirements?

NIST SP 800-171 was revised (Revision 1) in December 2016 to require a “system security plan” and associated “plans of action.” Specifically:

  • Security requirement 3.12.4 (System Security Plan, added by NIST SP 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

How do you write an SSP and POA&M?

Documenting implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline requires an SSP and associated plans of action which describe how and when you will meet unimplemented security requirements, how you will implement planned mitigations, and how and when you will correct deficiencies and reduce or eliminate vulnerabilities in the systems. System security plans and plans of action can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained year-over-year. Governance, Risk, and Compliance platforms can provide a technical, somewhat automated capability to meet this objective.

There is no prescribed methodology for contractors to implement the requirements of NIST SP 800-171, or even to assess your current compliance with the requirements -nor is there a prescribed format for SSPs or POA&Ms. A reasonable first step in creating an SSP and POA&M is to use company personnel or a qualified third party to execute a gap assessment against current operations compared to the NIST SP 800-171 requirements. The gap assessment will detail changes to policy and highlight areas where additional hardware or software are required to achieve compliance. A well-executed gap assessment will determine:

  1. Requirements that can be met using in-house IT personnel.
  2. Requirements that can be met using outside assistance.
  3. Plan of Action and Milestones for achieving compliance.

Which version of NIST 800-171 applies?

DFARS Clause 252.204-7012 requires the contractor to implement the version of the NIST SP 800-171 that is in effect at the time of the solicitation, or such other version that is authorized by the contracting officer.

How do you inform the Government of compliance with NIST SP 800-171 requirements?

You can inform the Government of your implementation of the NIST SP 800-171 requirements in a number of ways.

  • The solicitation provision DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” provides that by submitting the offer, the contractor is representing its compliance (and provides a procedure for the contractor to request the DOD Chief Information Officer (CIO) to authorize a variance from any of those requirements as being non-applicable, or because the contractor has a different but equally effective security measure).
  • Paragraph (c)(2)(ii)(A) of DFARS Clause 252.204-7012 requires the contractor that is performing a contract awarded prior to October 1, 2017, to notify the DOD CIO of any requirements of NIST SP 800-171 that are not implemented at the time of contract award.

Keep in mind, the solicitation may require or allow elements of the system security plan, which documents the implementation of NIST SP 800-171, to be included with your technical proposal, and may be incorporated as part of the contract (e.g., via a Section H special contract requirement).

What is the role of the SSP and POA&M in contract formulation, administration, and source selection?

Chapter 3 of NIST SP 800-171, Revision 1, states that Federal agencies may consider the contractor’s system security plan and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization, and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization.

DFARS Clause 252.204-7012 is not structured to require contractor implementation of NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from using a company’s SSP and associated POA&Ms to evaluate the overall risk introduced by the state of the contractor’s internal information system or network.

The Director, Defense Pricing/Defense Procurement and Acquisition Policy guidance for acquisition personnel provide the following examples of how the government may utilize the system security plan and associated plans of action:

  • Using proposal instructions and corresponding evaluation specifics (detailed in sections L and M of the solicitation as well as the Source Selection Plan) regarding how implementation of NIST SP 800-171 (and other applicable security measures) will be used by DOD to determine whether it is an acceptable or unacceptable risk to process, store, or transmit covered defense information on a system hosted by the offeror. The solicitation must notify the offeror whether and how its approach to protecting covered defense information and providing adequate security in accordance with DFARS 252.204-7012 will be evaluated in the solicitation.
  • Establishing compliance with DFARS 252.204-7012 as a separate technical evaluation factor and notifying the offeror that its approach to providing adequate security will be evaluated in the source selection process. The specifics of how the offeror’s implementation of NIST SP 800-171 will be evaluated must be detailed in Sections L and M of the solicitation as well as the Source Selection Plan.  If you are behind in implementing the required controls of NIST SP 800-171, are unsure of how to write your SSP and POA&M’s, or need expert help complying with the requirements, Contact CyberSheath at NIST800171@cybersheath.com for immediate assistance.