Federal Contractors and Subcontractors - Complying with NIST 800-171

With just under 3 months left to go in the year, contractors and subcontractors that provide products and/or services to the Federal Government are scrambling to meet its end of year deadline or risk losing the ability to work on government contracts.

Cybersecurity is in the news on what seems like a daily basis. In fact, just this week President Trump elevated the US Cyber Command to the same level as other combatant commands. Prior to this announcement, US Cyber Command fell beneath these combatant commands, however this move signifies the importance of Cybersecurity in today’s threat landscape.

Based on the importance of Cybersecurity, the government has mandated that any contractor or subcontractor that works with the federal government secure their data. The guidelines that the government imposes to enforce this security requirement is the NIST SP 800-171 framework, often called Rule 171. NIST SP 800-171 was introduced by the National Institute of Standards and Technology (NIST) and was published back in June of 2015. This special publication deals with the protection of controlled, unclassified information or unclassified technical information in nonfederal information systems and organizations. What does that mean? This special publication provides contractors and subcontractors a standardized guide to protect unclassified information that they process or store on non-government owned or operated information systems.

The Federal Government is asking these contractors to have a documented cybersecurity plan in place, by the end of 2017, that follows the guidance in NIST SP 800-171. While this sounds simple enough, this is a huge undertaking for contractors and subcontractors as there are approximately 109 controls that need to be evaluated and addressed! These 109 controls are broken over the following 14 control families:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

This requirement applies to all contractors and subcontractors that maintain current contracts or commissions for the Federal Government. From Northrup Grumman down to the 1-2 person organizations, everyone must comply. So how is this achieved? The first step in the process should be to have a thorough, detailed NIST 800-171 Risk Assessment conducted through an independent third-party assessor. This will give you the opportunity to look at what the requirements are, how you are (or in some cases are not) meeting those requirements, and the steps you can take to remediate and mitigate any risks that are identified. But remember, this must be done by December 31, 2017 so time is of the essence.

I know this has been a doom and gloom post but there is some good news. That good news is that Compass can help you conduct this risk assessment and get a plan in place. We have worked with several organizations to help them meet this requirement and demonstrate their commitment to reducing their cybersecurity risk. For more information and a deeper dive into this requirement, check out a recording of our August webinar on this exact topic below: