Compliance with NIST 800-171 Enforcement
The Department of Defense required everyone who handles CUI and CDI in the DoD’s supply chain to comply with NIST SP 800-171 by December 21, 2017. While compliance with NIST SP 800-171 has been mandatory, until now there was no plan in place from the DoD to ensure compliance.
Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord issued a memo on January 21, 2019 stating that the Defense Contract Management Agency (DCMA) will “validate contractor compliance with the requirements.” In the memo she also states that “to ensure that a similar approach may be taken at companies for which DCMA does not administer contracts, we will work with representatives of those communities to implement a similar solution.”
What is NIST SP 800-171
NIST 800-171 is a special publication mandate for contractors that defines how to protect and distribute CUI and CDI, material that is sensitive but not classified. It lists 110 security requirements within 14 control categories that contractors and subcontractors in the DoD, GSA, NASA and other federal agencies supply chain must adhere to.
What this means for contractors and sub-contractors
These audits are the first step in ensuring that suppliers are compliant with NIST SP 800-171. Non-compliance will not only prevent contractors from winning any new business, but it could result in immediate contract termination which is something no contractor wants to risk.
What should contractors who are not compliant do
Contractors and sub-contractors who are not yet compliant with NIST SP 800-171 should get a compliance assessment done ASAP. The assessment will consist of a Gap Analysis that shows where the contractor stands with compliance and what needs to be done to meet the requirements of NIST SP 800-171. The analysis will reveal any issues within the organization. After the Gap Analysis is completed, a remediation plan will be written that includes written processes and timelines to meet all of the requirements. The plan will then be implemented so the contractor meets the requirements. After the requirements are met, compliance is ongoing, and systems must be continuously monitored to detect any incidents.
Our certified security team is experienced in NIST compliance and is qualified to assist you and your organization with the requirements. Contact us today to get a compliance assessment completed and see where you stand. NIST SP 800-171 compliance often calls for significant internal network changes which may seem daunting to individuals whom are not familiar with the specific controls detailed in NIST SP 800-171 security documents. We provide you with the tools, knowledge, and expertise required to implement and maintain NIST compliance.
