WHAT IS NIST 800-171?
We are a small business who has implemented National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 compliance so we understand firsthand the burden it presents. Our Team is comprised of experts in cybersecurity, security engineering, and compliance. We understand that full implementation of NIST 800-171 controls might seem an insurmountable task. We can relieve you of that burden and turn this mountain into a molehill. Our Team will walk with you through the assessment and implementation to ensure your particular business needs are met and compliance is achieved.
THE CUI PROGRAM, DFARS 7012 & NIST 800-171
Established by Executive Order (EO) 13556, the Controlled Unclassified Information (CUI) program standardizes the manner which the Executive branch uses to handle unclassified information that requires safeguarding or dissemination controls. EO 13556, accomplishes this by creating a program for managing CUI across the Executive branch, and gives the National Archives and Records Administration (NARA) the responsibility for implementation of the Order and management of Federal agency actions to ensure compliance.
To ensure compliance amongst their entities, the Department of Defense (DoD) amended the Defense Federal Regulation Supplement (DFARS) in 2016 to provide for the safeguarding of CUI when residing on or transiting through a contractor’s internal information system or network. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement NIST 800-171 in order to protect CUI. Contractors must comply with these provisions with, at minimum, a System Security Plan (SSP) that includes a Plan of Action and Milestones (POA&M) before December 31st, 2017.
The DoD requires NIST 800-171 compliance of contractors precisely because it is through this document that compliance standards for the DFARS 7012 regulatory requirement were published. In other words, NIST 800-171 provides the controls for the implementation of EO 13556 and DFARS 7012. NIST SP 800-171 itself states, “The CUI program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions…”. It is important to note that due to wide mission-set, the NIST 800-171 framework is intentionally widely scoped. Compliance may be treated in a variety of ways, not all of them technological.
DOES NIST 800-171 APPLY TO ME?
If you are a DoD contractor who has DFARS Clause 252.204-7012 in any of your contracts and you handle Covered Defense Information (CDI) then you must comply with NIST 800-171.
“Covered Defense Information” means unclassified controlled technical information or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
DFARS Clause 252.204-7012 requires contractors / sub-contractors to:
1. Provide adequate security to safeguard CDI that resides on or is transiting through a contractor’s internal information system or network
2. Report cyber incidents that affect a covered contractor information system or the CDI residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support
3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center
4. Submit media (if requested) and additional information to support a damage assessment
5. Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information.
So How Do I Protect CDI?
DFARS 7012 requires the implementation of adequate security by the contractor on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections:
• The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.
• Contractor shall notify the DoD Chief Information Officer (CIO), via email, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
NIST 800-171 details the security requirements to protect confidentiality of Federal Contract Information, CDI, or CUI on non-Federal information systems.
HOW BMT GETS YOU THERE…
BMT understands that NIST 800-171 implementation can be prohibitive, in regard to cost and time. However, we are experts in DoD information security compliance regulations and requirements. For more than a decade, our specialists have supported DoD program offices in the implementation of Risk Management Framework (RMF) via the more rigorous and extensive NIST 800-53 controls, from which NIST 800-171 was derived. We have also provided consultation and guidance for non-federal firms and systems to implement NIST 800-171. Our experience and highly skilled personnel have allowed us to develop a quick & economical method that is thorough & precise ensuring full NIST compliance.
Gap Analysis & Assessment: Our standard NIST 800-171 assessment process is comprised of a gap analysis of your current state as compared to the full 800-171 control set and a full assessment of your compliance status. This involves numerous technical tasks, as well as stakeholder consultation, policy reviews, and personnel interviews. The NIST SP 800-171 Assessment will result in the development of a System Security Plan (SSP), which will detail all required controls, their implementation/compliance status, and recommended plan for implementation (where applicable). Additionally, our experts develop a Plan of Actions and Milestones (POA&M), which provides the non-compliant controls, with a target date of compliance and the responsible party. Finally, during the assessment debrief, BMT will provide the details of the Gap Analysis & Assessment including all areas of non-compliance along with brief recommendations to reach compliance.
Detailed Remediation Guidance Support: If you and your team require additional support following the Gap Analysis & Assessment, our experts provide a comprehensive review of your findings and break down, in detail, all areas of non-compliance. This includes an exhaustive list of the various solutions for remediation. As part of this list our experts will provide you with options to suit your budget, environment, and level of security need. We consider DoD requirements and Best Business Practices (BBPs) for remediation including recommendations for industry leading hardware and software solutions, where applicable.
Full Implementation & Integration: Finally, if you so choose, our team of experts will fully implement and integrate all mitigation and remediation requirements. This can include hardware configuration; software installation, configuration and training; and, hardening of all system components. Finally, we ensure all necessary policies and procedures are in place.