Ready to Demonstrate Compliance with NIST SP 800-171? Sharpen those #2 Pencils!

By Corey Clements

In order to be useful, data must be analyzed and shared, while also being adequately protected to ensure security, compliance, and privacy. And that is the purpose of Executive Order 13556, which established the Controlled Unclassified Information (CUI) Program. Our earlier blog addressed how this EO standardized the way the executive branch handles unclassified information that requires protection, such as personally identifiable information.

Security assessments are required to demonstrate compliance with NIST SP 800-171. Are you ready?

Who Does It Apply To?

If you are a contractor providing services to the US federal government, your organization is responsible for protecting CUI. The Defense Acquisition Regulation Supplement (DFARS) mandates that contractors comply with the security controls provided in National Institute of Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Under the DFARS rule entitled “Safeguarding Covered Defense Information” contractors have until December 31, 2017 to adopt NIST 800-171.

Key Provisions, What’s New?

In January 2017, DoD issued responses to frequently asked questions about these requirements. The FAQ states that the security requirements in NIST 800-171 build upon the table of NIST SP 800-53 controls contained in the November 2013 version of DFARS clause 252.204-7012. While there is additional effort for the difference, none of the effort to implement the original controls is lost.

A Lexology post by law firm Bass, Berry & Sims PLC states, “One of the key provisions – DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting – which must be flowed down to subcontractors also includes cyber incident reporting regulations and media preservation obligations, among other requirements, that does not apply to commercial-off-the-shelf items, but is applicable to commercial item contracts awarded pursuant to FAR Part 12.”

The Excitement of Fall

Our excitement at staring our 5,572^nd day of work may not rival that of our children starting their first day of high school. However, many of us will be sharing the experience of preparing for exams this fall. Many organizations will require training, technical testing, gap analysis, and expert consulting support to meet 800-171 requirements.

We may also share the anxiety exams often evoke. Many subcontractors are beginning to feel the danger of canceled contracts from failing to comply with 800-171. Companies not in compliance could risk losing their civilian or defense projects and revenues.

Slight Reprieve, But Hit the Books

In June 2017, DoD clarified that this end-of-year deadline for implementation could be satisfied by implementation plans outlining a path for achieving those standards, even if they are not met by the end of the year.