There has been a lot of confusion around NIST compliance, now mandatory for federal contractors. This brief overview should provide you with the information to understand what is required and why you should be complying (including the need to get ready for CMMC!)
The National Institute of Standards and Technology has a frequently-updated set of guidelines that must be met by any organization who handles government data.
The NIST compliance documents are the gold standard for government contractors, and simply must be followed with zero exceptions.
That being said, there are plenty of questions about the sometimes daunting requirements demanded from NIST and their compliance standards.
As an experienced leader in managed IT and security services for government contractors, we hope to answer all of your questions in this overview.
What are the NIST Requirements?
This is not a new requirement. Executive Order 13556, Controlled Unclassified Information (CUI) was issued in 2010 and lay the foundation for where we are today.
National Archives and Records Administration (NARA) was established as the Executive Agent. Their website lists the 124 categories of information considered to be CUI. It's quite broad. If you do business with the Feds, you will probably have CUI in your possession.
FAR 52.204–21 describes, at a fairly high level, the types of safeguards needed by contractors to safeguard controlled information.
DoD took it a step (or two) further. DFARS 252.204-712 mandates that contractors assess their information systems against the controls in NIST SP 800-171 and at a minimum document their assessment in a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).
Larger companies generally have created a broad SSP which covers the corporate information systems and project teams, divisions, etc., create their own to highlight what is inherited from the master plan and what is specific to that work. Small and medium sized businesses can create one plan and apply it across the board.
DoD mandated that all of their contractors create the SSP and POA&M no later than December 2017.
While it was inconsistently enforced in the past, that has recently changed, and everyone is expected to meet these standards.
Individual contracts may ask for a more detailed plan, require a third party (not-self) assessment or have additional requirements. The government can require submission of your SSP and POA&M as part of the proposal process in sections L & M, or make it a deliverable on any contract. A DiD and CDRL are available.
For most contractors – DoD or not – the NIST 800-171 provides a good benchmark to measure the maturity of your IT infrastructure and processes. Even if you believe you will never possess CUI or do business with the Feds, its a valuable tool to protect your data, systems, and people from hackers, malware, and incidents.
The DFARS clause has been added to all DoD contracts. If your contract has been missed and a modification not issued, it still applies. If you are a subcontractor on a DoD contract, the prime is required to flow down the provisions to you. If you have subs, you are required to flow down the provisions to them.
What NIST Version Do I Assess Against?
The current release is NIST SP 800-171 Rev2. This revision differs only in structure, and has some minor editorial changes. A promised Rev3 is in the works and can be expected to follow the final release of NIST SP 800-53 r5.
A new draft, SP800-171B is available now as well. This is specifically targeted at unclassified critical programs and high value assets. If it applies, the contract will specifically call it out. DoD estimates that fewer than 80 contractors will be affected.
What are the Controls?
There are 110 items, grouped into 14 broad categories, to measure against. They are not all specifically IT related. Most controls will be implemented with a combination of the following:
In order to perform your assessment, you need a team of IT, HR, contracts, and executive leadership to jointly weigh in on how information is processed, accessed and controlled across the organization.
The 800-171 requirements are derived from the 800-53 requirements which specifies the security and privacy controls that are required on federal systems. All of the 800-171 controls are mapped to the 800-53 requirements and while not required, you can reference them as part of your assessment.
How Hard is This Going to Be?
Don’t expect to do a quick look and "say everything is perfect!"
While not a heavy lift, you do need to look at your systems and policies in some level of detail to determine your level of compliance. You will need a good IT user policy, incident response plan, and a few other policies to meet all of the controls. If those policies exist or can be modified, your task is that much easier. If they don't exist, or need updating, an IT Service Provider can help get you on the right track.
Of the 110 controls, 64 are very basic and typically done in most organizations. An additional 35 are things that every business should be doing. The final 11 are a little tougher for small and medium sized businesses, but do not require a huge investment in time or money to implement. For Ntiva’s clients, 91 of the controls are at least partially implemented under your support plan or as an added service.
Why Should I Comply?
The short answer is: your contracts and ability to bid on future work is at risk if you are not compliant.
From a broader sense, your proprietary information is at risk if you lack good cyber security maturity. Just because you don’t think you have CUI on your systems doesn't mean you should skimp on the necessary protections.
Who Performs a Compliance Assessment?
This is a self assessment; the SSP and POA&M are your documents. While the government can ask for copies, they are intended to help you identify and manage risk and better protect your and the government’s information. Ntiva has assisted dozens of companies perform the risk assessment and document the results.
What is the Next Requirement?
You may have heard of the Cybersecurity Maturity Model Certification (CMMC). It’s the next iteration of cyber security for the DIB. While the 800-171 requirement is self-assessed, the CMMC will be through third party assessors. The current requirement is trust based; the future will add a verification component.
If you have not self assessed, you have no hope of passing a third party verification!
The final CMMC standard was released in January 2020 and some minor changes were made in March 2020. Additional information is targeted for summer with implementation probably late 2020 or early 2021. There will be levels of maturity and the costs for third party assessment will go up with the certification level. DoD plans to make it affordable for small business to achieve the lower levels of certification.
Overwhelmed yet? Questioning your ability to complete the necessary steps to reach NIST compliance? Let an experienced team take the load off of your hands. Click the link below to find out more about our services for government contractors, and how we can help you today!