By Corey Clements

Cybersecurity concerns are driving a tougher stance from DoD on contractors and their implementation of security controls to protect controlled unclassified information (CUI).

The Department of Defense has released new guidance and memos for contractors complying with NIST 800-171. Defense and procurement experts are characterizing the latest policies as more rigorous enforcement of cybersecurity requirements for DoD contractors. The latest updates also emphasize consequences for non-compliance.

Before being awarded a DoD contract, companies must attest to implementing minimum NIST 800-171 standards. In some cases, DoD will require additional security controls for information that is especially sensitive. In addition to reviewing the System Security Plan (SSP), DoD can conduct on-site assessments of a contractor’s information systems to evaluate whether adequate cybersecurity practices are employed. Contractors are subject to audit and must identify subcontractors who will be receiving or developing controlled defense information. Subcontractors will also need SSPs. Non-compliance can result in charges of a false claim or breach of contract that can mar a contractor’s past performance record.

In addition to these policies, there is increased scrutiny of DoD contractors’ security controls through requirements for subcontractors to provide SSPs and audits by the Defense Contract Management Agency of contractors’ purchasing systems.

This latest guidance provides a clear notification for DoD contractors, and their subcontractors, to fortify their 800-171 compliance planning and execution.  While the tougher stance is aimed at DoD contractors,  civilian agency contractors may want to take note of the US Federal government’s latest views on information security and 800-171 enforcement.

SecureIT offers efficient and flexible compliance solutions for small and medium-sized businesses. If you have questions on 800-171 or need a trusted expert to help you complete an existing compliance project, we’d love to talk.  Contact us and we’ll pick up the phone and give you a call.

Links to policies and memos:

Strengthening Contract Requirements Language for Cybersecurity in the Defense Industrial Base

(https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA003377-18%20ASD(A)%20Signed%20Memo%20w%20attach.pdf)

Addressing Cybersecurity Oversight as Part of a Contractor’s Purchasing System Review

(https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140-19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf)