There has been a lot of confusion around NIST compliance, now mandatory for federal contractors. This brief overview should provide you with the information you need to understand what it is, why it is required and why you should be complying with NIST SP 800-171 Rev2, the most current release.
NIST is the National Institute of Standards and Technology, a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology.
This includes the development and publication of security compliance standards for the Federal Government and any organization who handles government data, which standards are mandated under the Federal Information Security Management Act (FISMA) and other regulations.
NIST also developed the Federal Information Processing Standards (FIPS) in congruence with FISMA, which outlines federal government requirements for cybersecurity and and includes mandatory compliance by federal agencies.
Most government contractors are already familiar with the need to comply with NIST SP 800-171 should they want to continue selling into the Federal Government.
But for those unfamiliar with NIST, let's start by taking a look at what NIST compliance actually means.
Companies that provide products and services to the federal government need to meet certain security mandates set by NIST. Specifically, NIST Special Publication 800-53 and NIST Special Publication 800-171 are two common mandates with which companies working within the federal supply chain may need to comply.
The first draft of NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” was actually created in May 2015.
This original document was intended to provide guidance for non-federal organizations looking to protect sensitive unclassified federal information that was housed in their own information systems and environments. It clarified their role in data breach incidents and provided guidance on the types of data to protect and the kinds of protections to apply.
The latest version of this document is NIST SP 800-171 Rev2 which was last updated February 2020.
The NIST compliance documents are intended for any and all companies who are working in the federal supply chain, including prime contractors, subcontractors, and subcontractors working for another subcontractor. In this case, NIST compliance is mandatory.
However, many companies outside of the federal supply chain are also looking to comply with the NIST standards as outlined in the NIST Cybersecurity Framework.
This is because it is known to provide the best security practices for protecting business data, one of the most important priorities any organization can have!
The goal of NIST is to help organizations keep their data and information secure and safe, protecting critical infrastructure from both insider threats and attacks from the outside. The NIST guidelines apply to all data, not just federal.
However, for businesses that provide services to the federal government, compliance with NIST guidelines is mandatory. Those that are non-compliant may lose the ability to do business with government agencies.
The NIST framework can be considered voluntary guidance based on existing standards, guidelines, and practices, for any organization looking to better manage and reduce their cybersecurity risk.
The framework is divided into three parts - the framework core, the implementation tiers, and the framework profile. The framework core describes 5 functions of an information security program: identify, protect, detect, respond and recover.
Within each of these five core areas there are sub-sections that identify the key areas for assessment. Each of these sub-sections is then broken down further into standards, guidelines, and practices.
For a deep dive into the NIST Cybersecurity Framework, we suggest visiting the NIST website.
NIST is actually not a new requirement. Executive Order 13556, Controlled Unclassified Information (CUI) was issued in 2010 and lays the foundation for where we are today.
The definition of CUI is very broad. National Archives and Records Administration (NARA) was established as the Executive Agent, and their website lists the 124 categories of information considered to be CUI.
Put it this way - if you do business with the Feds, you will probably have CUI in your possession.
FAR 52.204–21 describes, at a fairly high level, the types of safeguards needed by contractors to safeguard controlled information. This was taken further by the DoD.
DFARS 252.204-712 mandates that contractors assess their information systems against the controls in NIST SP 800-171 and at a minimum document their assessment in a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).
Larger companies generally create a broad SSP which covers the corporate information systems, and project teams, divisions, etc. create their own to highlight what is inherited from the master plan and what is specific to that work.
Small and medium sized businesses can create one plan and apply it across the board.
DoD mandated that all of their contractors create the SSP and POA&M no later than December 2017.
While it was inconsistently enforced in the past, that has recently changed and everyone is expected to meet these standards.
Individual contracts may ask for a more detailed plan, require a third party (not-self) assessment or have additional requirements. The government can require submission of your SSP and POA&M as part of the proposal process in sections L & M, or make it deliverable on any contract. A DiD and CDRL are available.
For most contractors – DoD or not – the NIST 800-171 provides a good benchmark to measure the maturity of your IT infrastructure and processes.
Even if you believe you will never possess CUI or do business with the Feds, it's a valuable tool to protect your data, systems, and people from hackers, malware, and incidents.
The DFARS clause has been added to all DoD contracts. If your contract has been missed and a modification not issued, it still applies. If you are a subcontractor on a DoD contract, the prime is required to flow down the provisions to you. If you have subs, you are required to flow down the provisions to them.
The current release is NIST SP 800-171 Rev2. This revision differs only in structure and has some minor editorial changes. A promised Rev3 is in the works and can be expected to follow the final release of NIST SP 800-53 r5 which is available as of October 2020.
A new draft, SP800-172 is available now as well. This is specifically targeted at unclassified critical programs and high value assets. If it applies, the contract will specifically call it out. DoD estimates that fewer than 80 contractors will be affected.
There are 110 items, grouped into 14 broad categories, to measure against. They are not all specifically IT related. Most controls will be implemented with a combination of the following:
In order to perform your assessment, you need a team of IT, HR, contracts, and executive leadership to jointly weigh in on how information is processed, accessed and controlled across the organization.
The 800-171 requirements are derived from the 800-53 requirements which specifies the security and privacy controls that are required on federal systems. All of the 800-171 controls are mapped to the 800-53 requirements and while not required, you can reference them as part of your assessment.
While not a heavy lift, you do need to look at your systems and policies in some level of detail to determine your level of compliance. You will need a good IT user policy, incident response plan, and a few other policies to meet all of the controls.
If those policies exist or can be modified, your task is that much easier. If they don't exist, or need updating, an IT Service Provider can help get you on the right track.
Of the 110 controls, 64 are very basic and typically done in most organizations. An additional 35 are things that every business should be doing anyway!
The final 11 are a little tougher for small and medium sized businesses, but do not require a huge investment in time or money to implement. For Ntiva clients, 91 of the controls are at least partially implemented under your support plan or as an added service.
The short answer is: your contracts and ability to bid on future work is at risk if you are not compliant.
From a broader sense, your proprietary information is at risk if you lack a good cyber security maturity.
Just because you don’t think you have CUI on your systems doesn't mean you should skimp on the necessary protections!
This is a self assessment; the SSP and POA&M are your documents.
While the government can ask for copies, they are intended to help you identify and manage risk and better protect your and the government’s information. Ntiva has assisted dozens of companies perform the risk assessment and document the results.
You may have heard of the Cybersecurity Maturity Model Certification (CMMC), which is the next iteration of cyber security for the DIB.
The first CMMC standard was released in January 2020 and minor changes were made in March 2020. On November 4, 2021 the Department of Defense (DoD) posted an additional update to it's CMMC initiative, dubbed CMMC 2.0.
The main purpose of CMMC 2.0 was to streamline CMMC 1.0, including the certification process.
CMMC 2.0 is now aligned with the current DFARS 7012 requirements form NIST SP 800 171. This means that the CMMC specific practices and maturity processes which were in the first iteration of CMMC have been removed, reducing the number of security maturity levels from 5 to 3, and matching up the levels with the existing 110 practices under DFARS.
Another big change is in the reduction of the number of contractors who will need a third party assessment, which originally were to be performed by C3PAOs. For some contracts, a self-assessment will be allowed vs. the third party audit, but note that the audit will still be required for some contracts.
As of November 30, 2021, the CMMC accreditation body (AB) and the DoD are still updating CMMC 2.0 requirements, and the final has not yet been published.
However, note that the complexity of the requirements has not changed significantly, and the requirement for an annual self-assessment and affirmation means that companies should still rely on expert third parties to conduct their security and IT operations in a compliant manner.
You can learn how to achieve a higher score on your CMMC assessment here, and don't forget to read our comprehensive guide on CMMC that we update regularly.
Let an experienced team take the load off of your hands. Click the image below to find out more about our services for government contractors, and how we can help you today.