Recent Defense Federal Acquisition Regulation Supplement (“DFARS”) clause updates mandate that many Department of Defense (“DoD”) government contractors comply with the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 standards. NIST SP 800-171 is a set of 110 security requirements that has a goal of improving the protection of Controlled Unclassified Information (“CUI”) and/or Covered Defense Information (“CDI”) between the Federal government and contractors. These requirements are referenced and added to DoD contracts using the DFARS 252.204-7012 regulation.
While the original deadline was December 31, 2017, this requirement is still valid today as a result of new Request for Proposals and/or modifications to existing contracts. In addition, NIST 800-171 Revision 2 is currently in review and will add additional control requirements.
Neal Beggan, Principal in Cherry Bekaert’s Risk Assessment Services Practice joins Susan Moser for a discussion on the NIST 800-171 requirement, who it applies to and when companies need to be in compliance.
To assist government contractors with compliance, Cherry Bekaert’s IT Audit & Consulting Service group provides GAP assessment and analysis, documentation and remediation services. We have the expertise and experience to guide you forward and are happy to start a conversation with you. Contact Neal Beggan to get started!
Related Podcasts
- Adequate Accounting Systems Requirements for Government Contractors
- Has Your Government Contractor Business Outgrown Your Accounting System?
- VOSB and SDVOB Changes that Government Contractors Need to Know
HOST: SUSAN MOSER: Hi, welcome to Cherry Bekaert's GovCon podcast where we talk about current topics of interest to government contractors. My name is Susan Moser. I'm a partner in the firm's Government Contract Industry Group, and today we are going to be talking about NIST 800-171.
HOST: SUSAN MOSER: Joining me today is my partner, Neil Begin, who is in our risk advisory practice. Let me start by asking, Neil, what is NIST 800-171?
GUEST: NEAL BEGGAN: Thanks for having me, Susan. Essentially, NIST 800-171 came to the forefront as a result of the Defense Federal Acquisition Regulation, commonly known as 7012, which is entitled Safeguarding Covered Defense Information and Cyber Incident Reporting.
GUEST: NEAL BEGGAN: This DFARS required contractors to provide adequate security for all Covered Defense Information (CDI) on all covered contractor information systems and to rapidly report all cyber incidents to the DOD within 72 hours of discovery.
HOST: SUSAN MOSER: One thing we know about government contracting is it's full of acronyms. You mentioned CDI. What exactly is Covered Defense Information?
GUEST: NEAL BEGGAN: Covered Defense Information is unclassified information provided to a government contractor on behalf of the DOD in performance of a contract. It includes information that is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor to support contract performance.
HOST: SUSAN MOSER: Who does this DFARS clause and ultimately NIST 800-171 apply to?
GUEST: NEAL BEGGAN: DFARS relates directly to contractors handling DOD data, including DOD prime contractors as well as subcontractors. It is a flow-down clause.
GUEST: NEAL BEGGAN: It is widely thought this requirement may ultimately expand to contractors outside the DOD realm and could be incorporated into civilian agency contracts in the future. Right now, it is specific to DOD contracts.
HOST: SUSAN MOSER: When do companies have to be compliant?
GUEST: NEAL BEGGAN: When DFARS was originally issued, the deadline was December 31, 2017, which has passed. However, DOD contractors still need to comply.
GUEST: NEAL BEGGAN: We are seeing current RFPs that ask bidders to be compliant with NIST 800-171, contract modifications requesting demonstration of compliance, and prime contractors requesting compliance from their subcontractors. New government contractors entering the DOD space also need to be compliant.
HOST: SUSAN MOSER: If a company has a new DOD contract or is looking at one that hasn't previously been subject to this, what's the first thing they should do if they see this requirement in a contract?
GUEST: NEAL BEGGAN: First, confirm that the clause applies to the contract, which is fairly straightforward. If it does, reach out to organizations that can help ensure compliance.
GUEST: NEAL BEGGAN: We offer services around readiness assessments for DOD NIST 800-171 compliance to understand an environment and how it stacks up against NIST 800-171. The standard maps to 110 controls across 14 control families, so assessing the environment and developing the required documentation to demonstrate compliance is essential.
HOST: SUSAN MOSER: That sounds like a lot of requirements to comply with.
GUEST: NEAL BEGGAN: It can be daunting for organizations new to compliance. If you lack internal resources, engaging external assistance is important to ensure everything is addressed.
GUEST: NEAL BEGGAN: Although this is currently for DOD contractors, many non-DOD government contractors are pursuing NIST 800-171 as a best practice to bolster their security posture and provide assurance to government clients and contracting partners.
HOST: SUSAN MOSER: Thanks for sharing a little bit about NIST 800-171.
GUEST: NEAL BEGGAN: Thank you.
