About NIST SP 800-171 & DFARS
Q: What is NIST SP 800-171?
A: The National Institute of Standards and Technology (NIST) has established cybersecurity best practices and requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Addressing the compliance guidelines of NIST SP 800-171 is a way for you to evaluate and mitigate your risk of becoming a victim of CUI theft.
NIST SP 800-171 is composed of 110 guidelines in 14 control families including:
- Access control
- Awareness / training
- Audit & accountability
- Configuration management
- Identification & authentication
- Incident response
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System & communication protection
- System & information integrity
Q: What’s the relationship between NIST SP 800-171 and DFARS?
A: The DoD has implemented a basic set of cybersecurity controls through DoD policies and the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS rules relate to the safeguarding of contractor and supplier information systems that process, store or transmit CUI. These security controls must be implemented at the contractor and subcontractor levels based on the guidance offered through NIST SP 800-171.
Q: Do I need to be NIST SP 800-171 compliant?
A: All defense contractors, subcontractors, vendors, and businesses in the supply chain are required to become compliant with NIST. In order to retain your current DoD business or win new business, you need to become compliant. The federal government is currently looking to expand this compliance regulation to all federal contractors, not just those within the defense sector.
Q: Is NIST SP 800-171 compliance required by law?
A: If you have the DFARS clause in your contract, you are lawfully required to comply with NIST SP 800-171. If your prime asks you, as its subcontractor, if you are compliant, and your answer is “Yes,” then you are legally required to comply. Or, ask your customer if they have attested to being compliant with DFARS 252.204-7012 clause. If so, then your compliance with the NIST SP 800-171 standards are mandatory. And it’s good to know that a false claim of compliance breaks the False Claims Act and will be treated as fraud. All earnings under the contract are at risk.
Q: What is Controlled Unclassified Information (CUI)?
A: Any technical data deemed to be sensitive is CUI, and can include things like technical drawings of parts, programs, measurement & test data, design parameters, tolerances, or spec sheets. This is not an exhaustive list, rather meant to provide an idea of the breadth of information that could be considered CUI.
Q: I have received drawings, data, or information from the DoD or a prime contractor, but it’s not marked as CUI. Does this mean that the data is not considered CUI?
A: You are responsible for identifying and treating information as CUI, even if it’s not marked as such when you receive it. This includes information that predates the requirement. Also, be aware that CUI is sometimes referred to as CDI (Covered Defense Information).
Q: Who do I ask if I have questions about whether I have to be compliant? I have received conflicting advice — who is the final authority?
A: Call us. Or you can call the Department of Defense. But we’re more fun.
Q: I’m a small company. Does this really apply to me?
A: Absolutely. And did you know that small companies are considered easy targets for malware? Because of the perceived open access, adversaries are starting at the bottom of the supply chain to steal many small pieces of the puzzle, and fitting them together to develop a bigger picture. This is far easier for them than trying to breach the more secure “big fish”.
How NIST SP 171-800 impacts your business
Q: My company is a subcontractor. Do I have to implement all of the controls of NIST SP 800-171?
A: Yes. Being in the “spirit of compliance” is non-compliance. Until you meet all requirements in full, you are not in compliance. You must address all 110 requirements in order to be considered compliant.
Q: What are the benefits of NIST SP 800-171 compliance?
A: Minimally, NIST SP 800-171 a set of good, solid IT best-practices to ensure your company is up to the current standards of strong cybersecurity. In the near-term, proving compliance will also be a competitive advantage for new defense contract bids — especially if others are dragging their feet on the implementation of their plans.
Q: What are the consequences of non-compliance?
A: You can lose your contract, award, or PO, or simply be ineligible to win new contracts. And if you are noncompliant and have a breach, your systems will be confiscated for months.
Q: Can compliance help me win new contracts?
A: Prime contractors are seeing their supply chains drastically reduced because their suppliers are not pursuing compliance. Many of your competitive subcontractors may drop out of the bidding process — creating a larger business opportunity for you.
Economics of compliance
Q: How much will it really cost to achieve compliance?
A: Good question. The actual monetary and human resource costs will depend on the current state of your company, systems and resources, and how much you can do on your own. Minimally, you will need: a) people to complete a risk assessment and gap analysis, and develop policies and procedures; b) a mix of software & systems, firewalls, workstations that meet minimum system requirements; c) company-wide training; and d) ongoing IT management & monitoring.
Q: What’s my ROI of becoming compliant?
A: Start by evaluating your defense-related revenue. If you want to continue serving this market, the faster you achieve compliance, the better off you are. Furthermore, consider the new business you could win in the new, compliant supplier market. Many of your competitors may decide not to pursue compliance, thereby forfeiting their DoD contracts. That means more contracts will be up for bid to those who have achieved NIST SP 800-171 compliance.
Be aware that companies competing in the defense ecosystem are expected to be fully compliant by 2021. And, although there is a cost to achieving and maintaining compliance, the government is expecting rates to rise because of the cost incurred by increased overhead.
Q: What does it really take to become compliant?
A: You will need a System Security Plan (SSP), Plan of Actions & Milestones (POAM), risk assessment, inventory management, policies & procedures, central authentication and multi-factor authentication, log aggregation/correlation/monitoring, cyber awareness training, potential upgrade of your existing systems, vulnerability and patch remediation….we could go on….
Keep in mind that meeting the NIST SP 800-171 guidelines is not a one-time fix, rather a continuous assessment, monitoring and improvement process.
Q: What are my options to become compliant?
A: Most companies delegate the compliance process to their IT staff or outsourced IT support team, or hire a cybersecurity consultant — or leave defense. If you subcontract or outsource the work, you are responsible to ensure that those you do business with meet the cybersecurity standards. If you anticipate using cloud computing, you should ensure the cloud service meets FedRAMP “moderate” security requirements and complies with incident reporting, media, and malware submission requirements.
There are tools, like NeQter, that can help you achieve compliance on your own. Unlike NeQter’s appliance-based approach, the costs and subscriptions of most other tools for a small business can range up to $50,000.
Q: We have a POAM. Is that enough?
A: No. Having a plan is a good start, but you must take action on the plan and address the major requirements first. Companies were required to have a POAM by December 31, 2017, and the DoD is actively rolling out new requirements to prove compliance, expecting all controls to be fully implemented. If you have a plan but aren’t making progress, you will be evaluated critically.
Q: Will I have to upgrade my existing systems?
A: There are minimum system requirements, but most companies have addressed these upgrades already. You will need to upgrade any end-of-life system from Windows, UNIX, or MAC Operating Systems. Examples include Windows XP or Windows Server 2003.
Q: What immediate steps can I take toward compliance?
A: Your first step should be to educate yourself on the requirements of compliance. Read through NIST SP 800-171, or talk to your IT support professional or other NIST SP 800-171 expert who can help you understand the guidelines and how they apply to your business.
When you are ready to address compliance, you can expect to follow this path: complete a self-assessment to determine your baseline and areas of vulnerability; implement a cybersecurity platform to address the major technical requirements; update your policies and procedures as you craft your SSP and POAM; and then get to work on addressing your areas of need, until you are fully compliant with the NIST SP 800-171 guidelines.
The NeQter Compliance Engine
Q: How does NeQter’s product work?
A: We’ve created a single, unified solution composed of 6 distinct tools that addresses the specifics of NIST SP 800-171 compliance.
Q: Is the NeQter tool on-site or a cloud-based solution?
A: NeQter is an on-premise solution, as preferred by most manufacturers and subcontractors.
Q: How will a new tool work in my environment?
A: NeQter integrates directly into the network you already maintain. The NeQter solution is not an in-line solution, so you don’t have to worry about a single point of failure or your network going down.
Q: How long does implementation take?
A: Our typical on-site installation and set-up time is under 3 hours.
Q: How much time will we need to devote to managing this tool?
A: Management time for the tool is minimal; alerts will flag any suspicious activity. If compliance requirements change, NeQter will push the updates through to the user base.
Q: How do I convince my leadership that we need this?
A: The decision to pursue compliance hinges on a company’s goals for defense-related work and revenue.