Overview

On December 30, 2015, the U.S. Department of Defense (DOD) published a three-page interim rule to the Defense Acquisition Federal Regulation Supplement (DAFRS) that gives government contractors a deadline of December 31, 2017 to implement the requirements of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171.

These requirements protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations. If you are a government contractor, failure to meet these requirements risk the loss of contracts.

Why does it exist?

DFARS Safeguarding rules and clauses, for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The DFARS cybersecurity rules and clauses and be found at http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm

The NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”  provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).

Government contractors and suppliers (including small manufacturers) must adhere to two basic cybersecurity requirements in order to ensure confidentiality of CUI:

1. Provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure; and
2. Rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.

Why action is required?

While addressing these deficiencies may seem challenging, it’s important to remember that becoming compliant is good for your company and the bottom line. While there are a number of initiatives that compete for resources, budget, or buy-in needed to move forward there is a path to compliance. These items need to be addressed to ensure both existing and new work as both a sub and prime is not taken away due to non-compliance.  Here are the basics:

• Get a security assessment to help you interpret what is required and if your company is in compliance with each all of the controls.
• Create a plan to achieve compliance on all the items identified as deficient in your security assessment.
• Prepare and deliver the Assessment Report and Deficiency Report to both you Prime Contractors or Government POC’s that request them.

Who should comply?

All business entities handling CUI must comply. These include:

• Big and small organizations
• Research institutions
• Consulting companies
• Service providers
• Manufacturers

How to get compliant?

Organizations working as DoD contractors or subcontractors can use various approaches to get certified under NIST 800-171 compliance. They can either contract a firm to do it or do it on their own. Since it will take a significant amount of time to accomplish this task, both approaches require a business to perform an assessment of the security controls defined in  NIST Special Publication 800-171. It is important that the firm first ensure that its staff is qualified to examine its systems, policies & procedures and technical controls.

Businesses can meet the requirements defined in DFAR 52.204-21 by assessing the controls defined in NIST 800-171 and providing the outcome of the Assessment as well as a deficiency report.  The output of these activities are the generation of System Security Plan (SSP) which provides details on who the controls are implemented, an Assessment Report which tests to ensure the controls are implemented as defined in the SSP and a Plans of Actions & Milestones (POA&M) that identifies deficiencies in implemented controls or those that have not been implemented and the corrective action (plan & milestones) for implementation. While it is important to have the controls implemented per NIST SP 800-171 the minimum current requirement is to be able to provide an SSP, Assessment, and Plans of Actions & Milestones.

Federal guidelines and requirements can be a tricky world to navigate.

So OneSevenOne was launched with the goal to allow companies the ability to self-assess and self-certify for the NIST Special Publication 800-171 Security Guidelines. The ability to self-assess and self-certify through OneSevenOne drastically reduces overhead and provides immediate due diligence evidence for audits.

Register immediately for a FREE TRIAL!