Happy Monday, Cyber World!
The Department of Defense has just made public their final two guidance documents on assessing compliance with NIST SP 800-171. I’m going to put the highlights into plain English here, but you can read the full documents here: “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System,” and “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented” which talks through the impact of non-compliance. These two documents lay out the evaluation criteria for assessing contractor compliance, and guidance on how the DoD will assess the risks of contractors’ non-implemented controls.
The important takeaways from this public release include:
- Contractors must have System Security Plan and Plan of Action and Milestone documents completed.
- If a contractor says they have completed their documents, but fails to prove that they are doing what they say they are doing in those documents, this raises a red flag. The required activities mentioned in the System Security Plan must be carried out, and the Plan of Actions and Milestones put in place must have a time frame in which they will be completed, along with how they will be completed.
More importantly, this guidance signals that the DoD is stepping in to make sure that contractors are, in fact, implementing the NIST and DFARS requirements. These security requirements are so important, especially considering the breaches the DoD has faced in the last year.
The DoD guidance is addressing the problem that many contractors do not see the importance of compliance, nor the negative effects that non-compliance will have on their business. Failure to comply will most likely result in the loss of contracts, and for most small businesses, this means business closure.
That’s all for today! Thank you for tuning in to this week’s segment of “Mondays With Miranda!” Keep up to date with current news by following NeQter Labs on Twitter, Facebook, and LinkedIn. We love comments and questions, so drop me an email [email protected]. Enjoy your week!