Defense Acquisition Regulation Supplement (“DFARS”) 252.204-7012 requires defense contractors to protect the security of Controlled Unclassified Information (“CUI”). NIST 800-171[1] defines the security requirements for protecting CUI in nonfederal information systems. NIST 800-171 details adequate cybersecurity measures for each of 110 security requirements that should be adopted by defense contractors and subcontractors. The NIST will help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government specific approaches. It provides a standardized and uniform set of requirements for all CUI security needs, tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.
The deadline for full compliance with NIST 800-171 was December 31, 2017. Originally it was believed that, in order to be fully compliant with NIST 800-171, defense contractors would be required to have implemented all 110 of the security requirements by December 31, 2017. However, subsequent guidance from the Department of Defense (“DoD”) shows this is not necessarily the case. In order to demonstrate compliance with NIST 800-171, defense contractors must have two fundamental cybersecurity documents: a System Security Plan and a Plan of Action.
If all 110 security requirements are not fully implemented, a DoD contractor can comply with the deadline if it updates its System Security Plan to describe all implemented requirements and identifies those not fully implemented. For those security requirements not fully implemented, the contractor must have a Plan of Action setting forth the plan and schedule for adopting and fully implementing each security requirement not yet implemented. While the DoD does not provide explicit requirements for what these documents should look like, they do provide some guidance.[2] The System Security Plan “requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.” Meanwhile, the Plan of Action should describe “how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when [contractors] will correct deficiencies and reduce or eliminate vulnerabilities in the system.” In preparing these documents, the DoD provides no single proscribed manner or process to follow. Instead, a reasonable first step may be for company personnel with knowledge of information system security practices to note what is in place, what needs to be added, and what needs to be changed or updated.
For those not already in compliance with NIST 800-171, and without a System Security Plan or Plan of Action updated to reflect the most current version of NIST 800-171, there are a couple of potentially immediate consequences. First, these contractors may be barred from contracting with the government until they can show they are in compliance with or working to be compliant with NIST 800-171. Second, because these provisions flow down to subcontractors, subcontractors should not be surprised if they receive calls from their business partners or suppliers asking if they are in compliance with NIST 800-171. Failure to comply, or an inability to produce an updated System Security Plan and Plan of Action, could result in the loss of these contracts as well.
If your company has any questions regarding compliance with NIST 800-171, or needs assistance in preparing or reviewing a System Security Plan or Plan of Action, please feel free to contact Customer First Communications for assistance.
[1] The National Institute of Standards and Technology (“NIST”) is the agency who published NIST 800-171. National Institute of Standards and Technology, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf (last visited January 16, 2018).
[2] Office of the Under Secretary of Defense, Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf (last visited January 16, 2018).