Contractor Compliance With NIST 800-171: It’s Supposed to Be Hard.

Jimmy Dugan: It’s supposed to be hard. If it wasn’t hard, everyone would do it. The hard… is what makes it great. A League of Their Own, 1992
This article is written based on CMMC version 1.0, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.
Dottie Hinson: It just got too hard.
Jimmy Dugan: It’s supposed to be hard. If it wasn’t hard, everyone would do it. The hard… is what makes it great.
– A League of Their Own, 1992

The deadline to comply with the DFARS requirements (December 31st, 2017) has come and gone. Defense contractors and by ‘flow-down’ extension, all defense sub-contractors were required to be in compliance with the DFARS 252.204-7012 regulation; and in order to safeguard controlled unclassified information (CUI), both prime and sub-contractors were required to implement the NIST SP800-171 cybersecurity standards (as updated and amended).

Easy? It’s Supposed to be Hard.

Defense contractors have to be able to show “adequate security” which it seems, using baseball analogy, some consultants feel is akin hitting for a .217 batting average: more misses than hits. One can find various firms advertising they offer easy compliance for defense contractors. Easy? It’s supposed to be hard.

It is understood that complying with NIST SP800-171, and its follow-along iterations, requires more than merely average, it really needs detailed attention to solid and maybe closer to great cyber-hygiene best practices. Complying with 14 control families, under the standard and 110 different controls, is not easy. It’s hard. Protecting information vital to our national security is supposed to be hard.

Why is it so Hard?

Partly, it’s the complexity of the many controls. Partly, it’s the misinformation suggesting that just starting to become more secure is enough to grant permanent absolution from the DFARS cyber security mandate. Partly, it’s the truth that real cybersecurity takes time and deliberate effort.

The CUICK TRAC™ hosted solution from Beryllium InfoSec Collaborative, was engineered to bring order to complexity. Most defense contractors who receive flow-down cybersecurity mandates, via the contract RFP’s, are not information security experts. CUICK TRAC™ allows the smaller defense contractor to remain focused on their business, manufacturing high quality components and elements and parts that help defend the nation.

CUICK TRAC™ is affordable, scalable, and professionally vetted by a Certified Information Systems Security Professional (CISSP), who was trained by (and is still on call with) the US Navy. He knows that real information security is not easy, it’s hard.

“It just got too hard,” conveys a real feeling, but it’s not a good feeling.

Consider this: How would a defense contractor feel if they had to report to the Department of Defense (per the DFARS 252-204-7012 regulation,) that agents of a foreign power had somehow breached the contractor’s information systems and obtained gigabytes of data concerning sensitive but unclassified information?

How would the contractor feel if further contracts were denied as a result of an “easy” approach to real information security?

How would the breached contractor feel if an action under the Federal False Claims Act, was brought against the contractor for falsely averring that its information systems containing CUI were secure?

How would the breached contractor feel when considering the reality that losing its defense contracts could be the end of the business, and might severely hamper the contractor’s ability to provide for her or his own family, not to mention the families of her or his employees?

Compliance as a Utility.

The beauty of the CUICK TRAC™, is that it takes the complexity of the NIST SP800-171 standard, as applied to defense contractors, and breaks it down in to four understandable realms, which Beryllium calls: TRAC.

T – Training (user awareness training and education)
R – Risk Assessment
A – Administration (policy, procedure, on-going)
C – Controls (meeting requirements with security in mind)

Instead of being too hard, Information Security becomes a management tool, a marketing distinction, a point of pride as it relates to our collective national security. Let Beryllium help.


Professionally engineered. Professionally vetted. Professionally monitored, 24/7.
Defense contractors can manage their business, while CUICK TRAC™ manages the security of their information systems.

Defense Contractors know they can rely on CUICK TRAC™ to keep them compliant.
CUICK TRAC™ keeps a defense contractor in the major leagues, hitting for average, while securing, fulfilling and keeping contracts…not being sent down to the minors.

CUICK TRAC™ is the essential information systems utility. Robust, Reliable and the Right Solution for your defense contracting business. Compliance as a Utility.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.