The Comprehensive Compliance Guide for NIST SP 800-171 and DoD Contractors
The unauthorized disclosure of government information is becoming increasingly common as a result of cyber attacks. Therefore, the U.S. government has extended its existing safeguards to cover private organizations that store, process, or transmit sensitive government information. These organizations primarily include DoD contractors and subcontractors, in addition to other service providers. However, the government often shares sensitive information with other levels of government, educational institutions, and independent research organizations.
Protecting sensitive information means that contractors must understand the nature of that information when using it during the normal course of their business. Government contractors generally accomplish this by complying with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Schedule a free consultation with us today if you need to be DFARS 252.204-7012 compliant. We can help you to avoid fines or lose the ability to be awarded a new DoD contract by helping you implement the NIST 800-171 controls. Contact us at 763-546-8354 to set up a free consultation with a cyber security expert today.
The Defense Federal Acquisition Regulation Supplement (DFARS) is part of the Federal Acquisition Regulation (FAR), which the Department of Defense (DoD) administers. The DFARS provides vital information on the U.S government’s acquisition process for equipment and services, including legal requirements, the delegation of authority, and deviations from standard compliance requirements. Government-wide policies and procedures on acquisition that significantly affect the public are also part of the DFARS. Stakeholders in the government's acquisition process need to read the DFARS within the context of the primary acquisition rules described in the FAR.
Satisfying the DFARS 252.204-7012 mandate require organizations to comply with the controls described in NIST SP 800-171 Revision 2. NIST developed this publication in collaboration with the Under Secretary for Defense Acquisition to ensure that contractors working with the DoD would adhere to DFARS 252.204-7012, which contains the procedures for protecting Controlled Unclassified Information (CUI) that resides in nonfederal information systems and organizations. While CUI is unclassified, it's still sensitive in that its unauthorized disclosure can directly impact the federal government's ability to carry out its missions and business operations successfully.
Any organization that stores, processes, or transmits CUI for state or federal agencies must meet the standards described in NIST 800-171. These organizations primarily include the DoD, General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA). Still, it can apply to any contractor for any level of the U.S. government. Any organization with a contractual relationship with any of these government agencies must comply with DFARS 252.204-7012 and implement the controls of NIST 800-171, including prime contractors and subcontractors.
Achieving NIST 800 171 compliance often requires contractors to closely examine their existing networks and procedures to ensure they meet these requirements. Non-compliance with NIST 800-171 can adversely affect a contractor's relationship with its contracting agency, including losing the contract. NIST 800-171 also describes the process of becoming compliant with its standards, which can take up to eight months to complete. However, contractors can quickly implement many of these cyber security measures to protect their business and the government’s data while they become fully compliant.
Any company that does business with the DoD and handles CUI must comply with DFARS 252.204-7012 and NIST SP 800-171, regardless of the contract’s size. Contractors must also comply with these information security requirements before they can compete for future contracts. Compliance with these requirements provides contractors with a competitive advantage against other contractors, so they should complete this process as quickly as possible.
If a supplier is non-compliant with the cyber security requirements in DFARS 252.204-7012, that supplier must notify the DoD’s Chief Information Officer within 30 days after receiving a contract. The supplier must also disclose the specific areas of non-compliance by filling out a questionnaire. Merely completing and submitting this questionnaire doesn’t qualify as DFARS compliancy, nor does the dissemination of this information establish compliancy.
Implementing NIST 800-171 requires a contractor to conduct an assessment against the 110 security controls described in that document. A contractor must develop a system security plan (SSP) that describes the requirements that it already meets. The SSP must also include plans of action and milestones (POA&M) that explains how it will meet requirements that it hasn't yet implemented. The DoD may consider this information when awarding contracts or require contractors to implement all NIST SP 800-171 controls.
Implementing NIST controls is only the first step in complying with DFARS 252.204-7012, but it's still a substantial undertaking. This is especially true for smaller businesses with limited resources for performing the required assessment. These contractors can engage a third party to perform a NIST 800-171 controls assessment or conduct a self-assessment. These assessment providers reduce the time needed to complete this process by using their subject matter expertise, allowing for automation with much of the documentation specific to an organization. Managing this documentation becomes easier when the contractor is familiar with the terminology and technical concepts used in NIST SP 800-171.
Remaining competitive in the DoD acquisition process requires contractors to meet cyber security requirements that will help them protect covered defense information and their own IT infrastructure. DFARS 252.204-7012 also includes the procedures for safeguarding defense information and reporting cyber security incidents in addition to requiring contractors to implement NIST 800-171 Revision 2. Meeting these requirements is no longer an option for either primes or subcontractors, but moving forward with compliance requires a combination of diligence, resources, and technical expertise.
Beryllium InfoSec Collaborative has a deep understanding of the security requirements described by DFARS and NIST 800-171. We also have expertise in identifying the requirements you still need to remain competitive in the DoD acquisition process. We can help you become DFARS compliant no matter what your current IT environment is like, whether it’s a manufacturing, laboratory, cloud-based, or a traditional office environment.
NIST describes 110 security controls that contractors must implement, but it doesn’t specify how they need to be implemented. Therefore, contractors are free to implement the solution(s) of their choice to satisfy these requirements, whether directly or by using managed services. The 110 security controls are categorized into the following 14 sections:
Beryllium offers many specific services that help keep your organization security and maintain its NIST 800-171 compliance. These include comprehensive assessments for all 110 NIST 800-171 security controls with documented, actionable feedback. Our dedicated engineering staff specializes in understanding the implementation of technical controls such as multi-factor authentication, encryption, as well as administrative controls like incident response, training, and security reviews. The detection and reporting of security incidents also include identifying compromised hardware like servers and personal computers in addition to data and user accounts. These capabilities help your organization mitigate threats and maintain compliance.
We also develop a blueprint to address your deficiencies after identifying your compliance gaps, including an SSP and its addendums. Our security management program includes documented POA&Ms that help close your compliance gaps and become fully compliant. Additional security services include our third-party risk management that validates other stakeholders’ DFARS security postures, such as subcontractors, suppliers, and vendors. In addition, we offer enclaving services that include the implementation and administration of NIST safeguards and technical controls for hosted, private information systems. Our comprehensive security program offering also includes compliance reporting tools for specific requirements such as NIST 800-171, HIPAA, PCI DSS, and SOC 2 GDR, among others.
Beryllium is a different type of company because our approach to cyber security involves people just as much as it does technology. We customize our solutions to your company’s specific needs, including your vertical position within your industry. For example, we provide scalable compliance solutions for small and medium-sized businesses (SMBs) that will grow with their business.
Our team includes many NIST experts because many of today’s security standards map back to NIST. We strongly believe that NIST provides the best cybersecurity framework for strengthening cyber security programs. We also collaborate with other security experts to develop leading solutions for your organization’s industry.
Schedule a free consultation today with our security team members if you need to be DFARS 252.204-7012 compliant. Contact or call 763-546-8354 to avoid fines or missed opportunities to win new DoD contracts and be prepared for CMMC.