More than two years after its release, there is still lots of confusion about NIST 800-171, what compliance means, and what the impact is.

NIST 800-171 is a federal information security standard required as one of three critical requirements by the DFARS 252.204-7012. The other two relate to eligible cloud service providers and security incident response reporting to the Department of Defense. All three are almost equally misunderstood.

Unfortunately, many “white shoe” law firms and consultants are sharing much of the misinformation. How can a federal contractor understand the requirements when the so-called experts are giving bad advice? Let’s go to the source.

The DoD’s Defense Federal Acquisition Regulation Supplement (DFARS) apply to the entire defense base as they are “DoD-wide policies”. The critical section of the Supplement, 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, clearly states that the contractor “shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017“. This single clause sets the expectation and provides us the expected timing.

So what is NIST 800-171? Well, it’s 110 security controls focused on the confidentiality of data. That is 110 specific actions intended to mitigate the risk to Controlled Unclassified Information (CUI).

• Does your company have 110 information security controls?

• Does your team know how to interpret and implement 110 security controls?

• If they do, then who is your Chief Information Security Officer?

For reference, Sarbanes-Oxley, the sweeping post-Enron accounting reform bill passed by Congress only led to about 20 controls for all of IT. In comparison, NIST 800-171 is a much bigger responsibility.

• Do you believe your IT control environment is better than what’s required for a public company?

What is CUI? All information “(1)  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2)  Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” You’re right, this covers everything. The government’s definition of CUI – the new term brought to us in 800-171 – is intentionally broad.

What happens if our company doesn’t comply? The DoD has already begun contract award preferences for companies that are compliant. Furthermore, there may be a breach of contract if your company is non-compliant and there has not yet been notification to “the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award”. Non-compliance or simply choosing to ignore this requirement may lead to a significant revenue-impacting event.

So where do we start? That’s a great question, and like most compliance requirements, the place to begin is a readiness assessment. A readiness assessment will compare your company’s information security processes to the NIST 800-171 standard and provide a measure of your company’s compliance today. The next steps are to develop the required Plan of Action & Milestones (POAM) to take your company from its current-state to a position of ongoing compliance.

Contact Risiden today to talk about our Running Start program to get you from guessing to a POAM in 2 weeks.