Risk Advisory NIST 800-171 Compliance Requirement
July 30, 2019
By: Neal Beggan
Recent Defense Federal Acquisition Regulation Supplement (“DFARS”) clause updates mandate that many Department of Defense (“DoD”) government contractors comply with the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 standards. NIST SP 800-171 is a set of 110 security requirements that has a goal of improving the protection of Controlled Unclassified Information (“CUI”) and/or Covered Defense Information (“CDI”) between the Federal government and contractors. These requirements are referenced and added to DoD contracts using the DFARS 252.204-7012 regulation. While the original deadline was December 31, 2017, this requirement is still valid today as a result of new Request for Proposals and/or modifications to existing contracts. In addition, Revision 2 of the SP 800-171 is currently in review and will add additional control requirements.
If you provide services to the U.S. Federal government, in this capacity you must provide documentation and evidence as to how your organization is protecting information systems which contain CUI/CDI – which includes any data needed to carry out a contract. However, not just DoD contracts are expected to require compliance. A universal FAR ruling will eventually replace the DFAR and expand the scope to all federal agencies and contractors over the next few years.
Defense Contractor Achieves NIST 800-171 Compliance with the Federal Government
Situation
A defense contractor was required to comply with the newly enforced NIST 800-171 framework. Because this was the first time it had to comply with a traditional government standard for information technology, the company was unsure of the new requirements and how to implement new policies and procedures.
Cherry Bekaert’s Guidance
After defining the systems in scope and boundary to be assessed, Chery Bekaert completed a GAP assessment (Phase I), which resulted in over 30 out of 110 controls needing remediation. The remediation ranged from policy and procedure development, to hardware implementation. Cherry Bekaert developed a roadmap for compliance and worked with the company to identify the areas of responsibility to remediate the identified gaps in Phase 2.
Results
The company was able to demonstrate that it was in full compliance with NIST 800-171 to the Federal government and other interested parties (prime contractors). As a result, the company was able to store, transmit and process CDI/CUI.
To assist government contractors with compliance, Cherry Bekaert’s IT Audit Service group, led by Neal Beggan, CISA, CRISC, CRMA, CCSFP, provides GAP assessment and analysis, documentation and remediation services. We have the expertise and experience to guide you forward and are happy to start a conversation with you. Contact Neal to get started at nbeggan@cbh.com or 703-506-4440.