Recent Defense Federal Acquisition Regulation Supplement (“DFARS”) clause updates mandate that many Department of Defense (“DoD”) government contractors comply with the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 standards. NIST SP 800-171 is a set of 110 security requirements that has a goal of improving the protection of Controlled Unclassified Information (“CUI”) and/or Covered Defense Information (“CDI”) between the Federal government and contractors. These requirements are referenced and added to DoD contracts using the DFARS 252.204-7012 regulation.
While the original deadline was December 31, 2017, this requirement is still valid today as a result of new Request for Proposals and/or modifications to existing contracts. In addition, NIST 800-171 Revision 2 is currently in review and will add additional control requirements.
Neal Beggan, Principal in Cherry Bekaert’s Risk Assessment Services Practice joins Susan Moser for a discussion on the NIST 800-171 requirement, who it applies to and when companies need to be in compliance.
To assist government contractors with compliance, Cherry Bekaert’s IT Audit & Consulting Service group provides GAP assessment and analysis, documentation and remediation services. We have the expertise and experience to guide you forward and are happy to start a conversation with you. Contact Neal Beggan to get started!
Related Podcasts
- Adequate Accounting Systems Requirements for Government Contractors
- Has Your Government Contractor Business Outgrown Your Accounting System?
- VOSB and SDVOB Changes that Government Contractors Need to Know
HOST: Hello and welcome to Cherry Bekaert's webinar entitled "Are You Ready for NIST SP 800-171 Compliance?"
HOST: My name is Neil. I'll be walking you through today's agenda. We're going to start with a brief background on Cherry Bekaert as a whole and introduce our two speakers today, myself and Michael Townsen.
HOST: We'll then get into what NIST SP 800-171 is, who it applies to, and some important acronyms, most notably CUI and CDI. We'll decipher those and then discuss what government contractors can do to comply with these standards.
HOST: A couple of housekeeping notes before we begin. We have over 150 people registered for this webinar. Our intent is to answer as many questions live as we can.
HOST: If you have questions, enter them into the question window on your screen. We will make every effort to answer them live; however, given the number of attendees, we may not be able to get to everyone.
HOST: That does not mean do not ask your question. We will follow up after the webinar. This presentation will be available for download on our website. We encourage you to download and share it.
HOST: A little about Cherry Bekaert. We've been in business for 70 years. We have over 1,100 associates firmwide. We are a CPA and consulting firm based out of Richmond, Virginia, and we operate in six states, ranging from the Washington, D.C., region down to Miami.
HOST: We are in the top 25 of accounting firms in the United States and we are a proud founding member of Baker Tilly International Alliance, the eighth-largest accountancy and business advisory network in the world.
HOST: A little about myself: I am a graduate of James Madison University, born and raised in Virginia. I've been with Cherry Bekaert since 2008 and previously worked at KPMG and Ernst & Young.
HOST: My entire career has been devoted to IT consulting and audit. When I started with KPMG, I worked in the downtown Washington, D.C., office and primarily on federal government work. I wanted exposure to the commercial sector, so I left, but government work kept drawing me back.
HOST: Many of the NIST standards we discuss today are designed for commercial companies, and it has come full circle for me. I am the firm leader for our IT Audit, Risk Assurance, and Advisory Services practice.
HOST: Our motto is that we help organizations leverage their system of internal control to better manage risk, support growth, and promote sustainability. Those three points are evident in today's presentation.
HOST: With me today is Michael Townsen. Michael, could you introduce yourself?
MICHAEL TOWNSEN: Thanks, Neil. My name is Michael Townsen. I'm a senior manager in our firm's Tampa office, born and raised in Tampa, Florida.
MICHAEL TOWNSEN: I am a graduate of the University of South Florida and the University of Tampa, with a strong IT focus. I started with Cherry Bekaert in 2013, and prior to that I was with PwC and EY.
MICHAEL TOWNSEN: My background includes internal audit, IT consulting, and financial audit. The group I work with focuses on IT governance assessments and IT risk assessments, and we also work on information security program implementations and cybersecurity assessments.
MICHAEL TOWNSEN: A significant service we provide is pre- and post-system implementation reviews, or independent verification and validation services.
HOST: Appreciate it, Michael. Enough about us; let's talk about why we're here today. Many of you will recognize logos of high-profile victims of large-scale breaches over the last year.
HOST: Breaches seem to be a daily occurrence at this point. You cannot go on the internet, turn on the TV, or open the paper without reading about some sort of breach.
HOST: While these are some of the more recognizable brands, more than 50 percent of breaches occur at companies with fewer than 250 employees. Thinking you are too small to be a target is not a correct stance.
HOST: The government has taken notice of breaches occurring both commercially and within its walls. As a result, they have made clear that they intend to protect their data.
HOST: Threats to unclassified government information have increased as more services are provided online, as we digitally store data on behalf of the government, and as the government relies on contractors for numerous IT services.
HOST: In addition to commercial incidents, there have been breaches affecting governments and their contractors. You might have thought the WannaCry attack would be a wake-up call, but another larger ransomware attack occurred recently and affected many industries, including governments and contractors.
HOST: Similar to WannaCry, the recent attack exploited vulnerabilities in Microsoft Windows. Those vulnerabilities were known due to a leak of hacking tools used by the NSA and could have been mitigated with a simple patch.
HOST: Because of constant threats like these, the demand for clear, effective, and consistent security requirements has increased for both government and industry.
HOST: As a result, NIST Special Publication 800-171 was developed. NIST stands for the National Institute of Standards and Technology.
HOST: This special publication is a set of security requirements made up of 14 families that result in 109 individual controls applicable to the audience on this call.
HOST: The goal is to protect CUI, controlled unclassified information, and CDI, controlled defense information, exchanged between the federal government and their contractors.
HOST: We'll dive into what CUI and CDI mean and give examples of each. These requirements can be added to or referenced in federal contracts and may become a requirement to do business where CUI and CDI are stored, processed, or transmitted.
HOST: Effective December 20, 2016, NIST SP 800-171 was determined to be key to creating greater consistency across the government.
MICHAEL TOWNSEN: When looking at NIST SP 800-171, there are 14 security control families focused primarily on the confidentiality of information, rather than specifically on integrity and availability.
MICHAEL TOWNSEN: The access control family addresses user provisioning processes and segregation of duties, emphasizing the need to limit information system access to authorized users only.
MICHAEL TOWNSEN: The security awareness and training family addresses the need for managers, users, and administrators to be aware of security risks associated with their activities and applicable laws.
MICHAEL TOWNSEN: This includes policies, standards, procedures, regulations, and evidence of training. Personnel must be adequately trained to carry out their assigned roles, including administrators having the technical knowledge to execute their jobs.
MICHAEL TOWNSEN: The audit and accountability family focuses on creating, protecting, and retaining system audit records. These records enable monitoring, analysis, investigation, and reporting on unauthorized or inappropriate use.
MICHAEL TOWNSEN: Configuration management requires establishing and maintaining baseline configurations for hardware and applications, maintaining inventories, and ensuring systems go through a system development lifecycle.
MICHAEL TOWNSEN: Examples include maintaining firewall rule sets through change management and ensuring baseline configurations are available to restore systems if needed.
MICHAEL TOWNSEN: Identification and authentication requires organizations to identify system users and devices and authenticate their identities. This includes multi-factor authentication, tenant controls, password settings, and lockout procedures.
MICHAEL TOWNSEN: A quick question came in about "SOD." SOD refers to segregation of duties controls, which separate responsibilities to limit fraud risk at both operational and system levels.
MICHAEL TOWNSEN: Incident response is based on the need to establish handling procedures for preparation, detection, analysis, containment, recovery, and response to incidents.
MICHAEL TOWNSEN: Organizations must track, document, and report incidents to appropriate officials and test their incident response plans to ensure effectiveness.
HOST: Just to clarify, when you mentioned classified information earlier, today's focus for SP 800-171 includes unclassified information, correct?
MICHAEL TOWNSEN: Yes, it includes unclassified information.
MICHAEL TOWNSEN: The maintenance family requires periodic and timely maintenance of systems and the appropriate tools and techniques to conduct that maintenance.
MICHAEL TOWNSEN: This also includes training personnel on how to appropriately update systems, covering network devices, servers, and applications with security updates as needed throughout the year.
MICHAEL TOWNSEN: Media protection is about protecting system media, whether paper or digital, limiting access to authorized users, and sanitizing or destroying media before disposal.
MICHAEL TOWNSEN: Personal security ensures that individuals in positions of responsibility are trustworthy and meet established security criteria, including background checks and acceptable use policies.
MICHAEL TOWNSEN: Controls must ensure access cards or keys are recovered upon termination and that computers and other assets are returned.
MICHAEL TOWNSEN: Physical protection limits physical access to systems, equipment, and operating environments to authorized users only. This includes protecting data centers, testing generators, backups, and ensuring utilities are maintained.
MICHAEL TOWNSEN: Risk assessment requires periodically assessing risk, focusing on mission, functions, image, and reputation, and the potential impact to organizational assets, individuals, and information systems.
MICHAEL TOWNSEN: Security assessments involve periodic self-assessments and continuous monitoring to determine whether controls are effective and applicable, and developing POA&Ms to correct deficiencies and eliminate vulnerabilities.
MICHAEL TOWNSEN: Systems and communications protection requires monitoring, controlling, and protecting communications systems, including external and internal boundaries and employing architectures and tools to restrict access.
MICHAEL TOWNSEN: Focus areas include effective firewall rule sets, monitoring firewall activity, and monitoring remote connections to ensure appropriate external access.
MICHAEL TOWNSEN: The final family is system and information integrity, which involves identifying, reporting, and correcting system flaws in a timely manner, protecting against malicious code, and monitoring system alerts.
MICHAEL TOWNSEN: This includes vulnerability assessments and penetration testing, especially for new external-facing systems, and performing pen testing prior to go-live as appropriate.
HOST: The question box is working, and several questions have come in. One asks, how is SP 800-171 different from NIST SP 800-53?
HOST: NIST SP 800-53 is a more extensive publication designed for federal systems, while SP 800-171 focuses on non-federal systems maintained or administered by contractors.
HOST: SP 800-53 is used for FedRAMP, FISMA, and related federal compliance areas and typically requires a third-party assessment. SP 800-53 controls vary by system classification—low, moderate, or high—and can result in hundreds of controls.
HOST: SP 800-171 treats all CUI as having moderate impact under FIPS 199 and requires the same 109 controls across systems. SP 800-171 is often considered "800-53 light."
HOST: Another question asks which control families are hardest for government contractors to comply with. Michael?
MICHAEL TOWNSEN: Security awareness and training and the risk assessment process are two that present the most difficulty.
MICHAEL TOWNSEN: Training is challenging because the technology environment changes constantly, and training content must be updated to reflect changing risks. Many organizations only provide training once per year, but risks change more frequently.
MICHAEL TOWNSEN: Administrators need proper technical training, which has cost and resource implications. For end users, too frequent security communications can cause information overload, while infrequent training reduces effectiveness.
MICHAEL TOWNSEN: The risk assessment challenge is finding resources with the right expertise to perform risk assessments, understand organizational risk, and gain management buy-in to implement controls.
HOST: To add, human error is a leading cause of breaches, so awareness training is paramount. Another common issue across industries is lack of documentation—policies and procedures are often insufficient.
HOST: Federal standards expect rigorous policy and procedure documentation. IT staff are not always inclined to write comprehensive documentation, so documenting controls is a frequent gap.
HOST: We covered the 14 control families because they apply to all contractors required to comply with SP 800-171. Now, who does this apply to?
HOST: Currently, only DoD contractors and their subcontractors are required to assess compliance and address gaps by December 31 of this year. That flow-down clause is important for subcontractors.
HOST: However, we are seeing non-DoD contracts require protection of CUI, which brings SP 800-171 into play regardless of the current contract type.
HOST: It is widely believed a general FAR rule will require cyber protection of CUI in all FAR contracts. That rule was expected to be finalized in 2017, and the stated intent by the federal government is that all FAR contracts will include the requirement to be compliant with SP 800-171 over the next few years.
HOST: For contractors, do not put this on the back burner. Companies getting out in front of these compliance measures are finding the process easier.
HOST: Contracting officers sometimes ask for status updates. If you have a DoD contract, check whether the DFARS clause is present. If your contract predates the clause, the DoD may issue a contract modification, which would require compliance.
HOST: If you are a prime contractor, you should be asking your subcontractors about their compliance status. If you are a subcontractor, expect primes to ask you.
HOST: If you're providing services to the federal government, your organization is responsible for protecting CUI. FAR clauses require safeguarding CUI by December 31. Prior to that deadline, DoD contractors must report any SP 800-171 requirements not implemented, typically within 30 days of contract award.
HOST: Reporting gaps is usually done via a letter to the DoD contracting official with a status and a plan to address gaps.
MICHAEL TOWNSEN: Let's discuss CUI. Controlled Unclassified Information is any information that must be safeguarded or requires dissemination controls pursuant to applicable laws, regulations, and government-wide policies.
MICHAEL TOWNSEN: CUI is required by the National Archives and Records Administration (NARA). Any information collected, developed, received, transmitted, used, or stored by or on behalf of a contractor in support of a contract may be CUI.
MICHAEL TOWNSEN: It is estimated over 300,000 contractors or grantees hold CUI, including federal, state, and local government contractors, colleges and universities, nonprofit organizations, and some foreign governments.
HOST: In summary, CUI is unclassified information to be protected from public disclosure. Types of CUI include controlled technical information, emergency management information, financial data, information security vulnerability data, law enforcement details, nuclear information, and PHI or PII.
HOST: For a comprehensive list, refer to the CUI Registry. We have included a hyperlink to the registry in the downloadable presentation.
MICHAEL TOWNSEN: CDI, controlled defense information, falls under controlled technical information in the CUI registry. CDI is unclassified controlled technical information that requires safeguarding or dissemination controls pursuant to laws and regulations.
MICHAEL TOWNSEN: CDI is marked or identified in contracts, task orders, or delivery orders provided by or on behalf of the DoD in support of contract performance.
MICHAEL TOWNSEN: Examples of CDI include technical data, computer systems, research and engineering data, drawings, specifications, standards, manuals, technical reports, data sets, and studies.
MICHAEL TOWNSEN: Protecting computer software, executable code, and source code is critical. Access to code should be restricted to those who require it, and external access should be prohibited unless necessary.
MICHAEL TOWNSEN: Note that CDI can include documentation produced by contractors as part of contract performance, such as build sheets or part designs.
HOST: You have heard how SP 800-171 relates to CUI and CDI and how it connects to DFARS and future FAR requirements. What does this mean for you?
HOST: If you have experience with SP 800-53-based compliance areas, such as FedRAMP or FISMA, you will likely have little to no impact, assuming the same domain applies. SP 800-171 is generally less onerous than SP 800-53.
HOST: If you have undergone other security or compliance frameworks—ISO, PCI, SOC 2 with security, HIPAA, or SOX—there will likely be overlap with SP 800-171 controls, often reducing the incremental effort to comply.
HOST: If you have no prior compliance requirements—you're not publicly traded, you don't accept credit card data, you haven't needed ISO or SOC audits—you will likely face the biggest challenge.
HOST: The major work often involves developing or updating formal policies and procedures, forms, and templates, and implementing technical controls. This can be time-consuming and may require capital expenditures for hardware, software, or applications.
HOST: The bright side is you can often leverage systems already compliant with SP 800-53 or other frameworks to satisfy SP 800-171 requirements if domains align.
HOST: The key takeaway is to get started early if you fall into the higher-effort categories. Do not wait until the last minute.
HOST: What can you do to comply? Start by reviewing current and future contract requirements. Just because your contract does not currently include the DFARS clause does not mean it will not in the future.
HOST: Reach out to your contracting officer or prime contractor to clarify requirements. Perform a gap assessment against NIST SP 800-171.
HOST: Use the SP 800-171 publication as guidance, perform an assessment, and formalize it with a gap analysis report that compares current controls against the SP 800-171 moderate control level requirements.
HOST: Develop standard documentation. Contractors familiar with federal space will recognize the term SSP, or System Security Plan. SSPs are extensive and not quick exercises.
HOST: Develop POA&Ms, or Plans of Action and Milestones, to remediate identified gaps and create a roadmap for remediation. Continuous monitoring is essential; this is not a set-and-forget exercise.
HOST: Continuous monitoring will help demonstrate to primes or the federal government that you maintain compliance over the course of a contract.
HOST: We have one question about certification. Is certification necessary for SP 800-171?
HOST: Short answer: no. There is no certification requirement for SP 800-171 at this time, and there is no formal third-party certification requirement.
HOST: That said, we highly suggest a formal assessment and assessment report. Using a third party can address internal resource burdens and knowledge gaps and can save money by doing it right the first time.
HOST: A third-party assessment engagement typically delivers a gap analysis, SSP, POA&M, and an assessment report. An assessment report is useful for audits, for demonstrating compliance to prime contractors, and as a competitive tool when pursuing federal work.
HOST: Another question asks how long the assessment process typically takes. The answer depends on the complexity of the environment and the defined system boundary.
HOST: From procurement to completion, for most government contractors we work with, the typical range is about 30 to 60 days.
HOST: That timeline varies, so the initial steps are defining scope and system boundaries and determining what contracts and environments are in scope.
HOST: We have tried to answer several questions in real time. We will follow up individually with anyone who submitted questions.
HOST: Contact information for Michael and me is on the screen and will be available in the downloadable presentation on our website. We encourage you to reach out as you navigate this process.
HOST: Cherry Bekaert prides itself on its work in the government contracts community. We have helped several clients with SP 800-171 compliance and are speaking with many prospects in similar situations.
HOST: Thank you for attending today's webinar, "Are You Ready for SP 800-171 Compliance?" My name is Neil. Please reach out if you have questions.
