The U.S. government provided limited guidance on how contractors should protect their information systems from cyber attacks prior to the implementation of NIST 800-171 on December 31, 2017. However, the government requires compliance with DFARS 252.204-7012, which says NIST SP 800-171 should be implemented for all non-government owned information systems containing federal information, even when that information isn’t classified. Most contractors who handle government information still aren’t entirely NIST 800-171 implemented, even though it’s been the requirement.
The complexity of these requirements is one of the reasons that contractors have been so slow to adopt NIST 800-171, despite the risk of fines or even the loss of a contract. Schedule a free consultation with our cyber security experts today if you need to be DFARS 252.204-7012 compliant. Start today by contacting us for a free cyber security consultation at 763-546-8354.
NIST SP 800-171 is a National Institute of Standards and Technology (NIST) Special Publication (SP) that provides the government’s recommended requirements for protecting controlled unclassified information (CUI). Defense contractors must implement these requirements to demonstrate they can provide the security needed to safeguard defense information in their contracts as required by Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.
DFARS accompanies the Federal Acquisition Regulations (FAR) as an addition to cover many of the contracts issued by the U.S. military and National Aeronautics and Space Administration (NASA). The Department of Defense (DoD) administers DFARS, although its requirements extend to other organizations. The requirements in NIST SP 800-171 apply if the supplier handling CUI, is part of the supply chain for any state or federal agency.
A NIST risk assessment analyzes the risks posed by an organization’s applications and technologies. It’s a vital component of an enterprise’s overall risk management strategy that includes identifying the potential cyber threats to the application, devices, and networks that make up the organization’s information systems. A risk assessment also includes an analysis of each identified risk and the security controls needed for risk mitigation of these threats. NIST SP 800-53, commonly known as Guide for Conducting Risk Assessments, provides a framework for this process.
Models for performing a risk assessment in cyber security typically include specific elements such as identifying an organization’s critical technology as well as the CUI it creates, stores, and transmits. These models also need to monitor threats, risks, and vulnerabilities on an ongoing basis and develop security controls for each risk. Administrators must prioritize the importance of IT assets so that they can address vulnerabilities after a breach. Mapping the interconnections of critical assets and creating a risk profile for each asset is also an important benefit of the risk assessment process.
In addition to improving security, a security risk assessment may be legally required, especially in heavily regulated industries. For example, the Sarbanes-Oxley Act (SOX) and Health Information Portability and Accountability Act (HIPAA) require periodic risk assessments for the finance and healthcare sectors respectively.
NIST risk management is an ongoing process in which you identify and eliminate all your company’s security risks. A NIST risk assessment is a review of your company’s technology, people, and processes to identify risk at a particular point in time.
The NIST risk management process, includes regular meetings, typically once a week or month. Managers use this meeting to identify risks, rank them, and discuss those problems to ensure nothing is slipping through the cracks. This process aims to continually improve an organization's security posture by eliminating risks as they occur.
A NIST security risk assessment is a detailed evaluation of an organization, which may be limited to a particular project or department. Its goal is to identify security vulnerabilities before cyber criminals do. The assessment process reviews both people and systems, including tests, to locate these vulnerabilities. Once found, the assessment ranks the vulnerabilities according to the risk they pose to the company. The end product of the assessment is a report that identifies systems and working well and those that have problems. A report from a NIST security risk assessment is typically highly technical and includes a number of specific items such as firewall configuration and network scanning results.
DFARS 252.204-7012 requires that organizations who handle CUI, implement NIST 800-171, which describes the procedures that non-government organizations need to follow to protect the CUI on their systems. It has far fewer requirements than NIST 800-53 because NIST 800-171 only covers CUI rather than all of an organization's information technology (IT) policies. DOD contractors are only required to comply with NIST 800-171, not the more comprehensive requirements of NIST 800-53. However, contractors can still obtain a better understanding of their government clients and how they handle cyber security by reviewing NIST 800-53.
The Federal Information Security Management Act (FISMA) implements NIST 800-53 as a means of enforcing DFARS requirements. These two publications are related, but their intended audiences are quite distinct. FISMA is a more comprehensive publication for federal organizations that specifies all of their cyber security requirements. It goes far beyond the handling of CUI, as it covers all aspects of the IT systems for federal agencies.
DOD contractors need to comply with the requirements specified in DFARS 252.204-7012, by fully implementing NIST 800-171, in order to keep their existing contracts, and be awarded new ones. The Pentagon has made cyber security one of the most critical factors during the selection process for contractors since 2018. Contractors who fall behind on their compliance with NIST 800-171 will be unable to compete with contractors who are fully compliant with these regulations. The risk of data breaches involving CUI is now too great for contractors to ignore, especially those with existing DOD contracts.
NIST SP 800-30 specifies a straightforward set of procedures for conducting a NIST risk assessment.
This process consists of the following four phases:
Preparation is the first step in a risk assessment. And it requires you to notify the following components of the assessment:
These identification processes to tell you exactly what you'll be studying, allowing you to conduct a successful assessment.
The assessment itself consists of two distinct processes, including identifying threats and analyzing those threats. The identification phase involves defining the specific threat sources and the events that could occur as a result of exploiting phone abilities. The risk analysis phase involves determining all of the potential negative impacts that each threat can have on every stakeholder for that data, including the likelihood.
After the assessment is complete, the assessment team will share their findings with interested parties. This step is more straightforward than the previous two stages, as it's less dependent upon the individual organization. The primary exception to this general rule is that major differences in the scale and scope of an organization's security posture can affect how assessors share their findings.
The maintenance stage of the assessment processes involves performing ongoing assessments over the long term. It includes both the detailed monitoring of previously identified risk factors and the detection of new ones. Furthermore, this maintenance requires you to update cyber risk management practices based on recent findings. Risk assessment, therefore, needs to become part of your company culture rather than a one-time event.
The NIST SP 800-171 DoD Assessment Methodology enables DoD to strategically assess a contractor’s implementation of NIST 800-171 on existing contracts. It includes DFARS clause 252.204-7012, and the summary scores of the strategic assessments that the DoD completes will reflect these components. The NIST 800-171 assessment methodology provides a more practical approach to data protection than performing a separate assessment on each contract. This methodology consists of three levels of assessments, including basic, medium and high. Each assessment receives a score with a level of confidence that reflects the level of that assessment.
A thorough DOD NIST 800-171 risk assessment evaluates your current security posture, identifies where you meet the criteria, and where you need to make changes. Preparing for an assessment requires senior executives and most of the management team to participate in this process and work together. It will also need other key employees’ involvement since a NIST 800-171 risk assessment affects an organization's IT policies, hardware, software, and configuration settings.
The next step in preparing for an assessment is to review your security policies, so you can identify the requirements you've already implemented and those that are still lacking. Employees need to understand the current policies, especially handling CUI and other sensitive information within the organization. They may need a refresher on these policies, even if they've already received this information. In addition to clarifying the existing policy, it may be necessary to update the policy to reflect organizational or technological changes. Administrative staff and IT department members have a particular need to understand an organization's security policies before a risk assessment.
An organization also needs to collect the assessment team’s materials, whether you're performing the assessment in-house or another company is doing it. These materials include many specific documents, such as information system designs, organizational policies and procedures, and legal requirements.
Finally, an organization needs to establish a schedule for completing the assessment, including due dates for each specific part of this process. This practice allows the assessment to remain on track, so you can become compliant as quickly as possible.
A professional assessment can be an effective means of identifying and addressing gaps in your security posture needed to achieve NIST 800-171 compliance. Beryllium is a different type of cyber security company that considers people and organizations just as much as IT. We have many NIST experts on our team because we firmly believe that NIST provides the best cybersecurity framework for strengthening your cybersecurity program.
We also collaborate with other experts in the industry to provide your organization with leading solutions. This approach is essential, as modern data security no longer a matter of one company doing it all. We realize that a vulnerability assessment enables business operations by reducing risk, not by increasing security for its own sake. Creating an effective cyber security plan requires you first to identify your risks, which is why our assessments provide you with a value-based approach to security. We also help ensure your organization uses the right risk management framework and receives the appropriate remediation guidance for your unique business requirements.
Do you need to be DFARS 252.204-7012 compliant? Avoid fines or loss of contract by implementing all of the NIST 800-171 controls. Contact us today at 763-546-8354 or schedule a free consultation with our cyber security experts.