The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 deadline has come and gone, but can your organization guarantee compliance? If not, the consequences for non-compliance will alarm you.
The Defense Federal Acquisition Regulation Supplement (DFARS) made NIST 800-171 mandatory for defense contractors who have the DFARS 252.204-7012 clause in any contract. NIST 800-171 was designed specifically for the protection of Controlled Unclassified Information residing in non-federal information systems- those in use to support private enterprises.
The requirements are mapped out across fourteen security control families, many of which were adopted from NIST 800-53. Each category highlights how an assessor could examine, interview, or test each particular control at issue.
|NIST 800-171 Security Control Families|
|AC||Access Control||MP||Media Protection|
|AU||Audit and Accountability||PP||Physical Protection|
|AT||Awareness and Training||PS||Personnel Security|
|CM||Configuration Management||RA||Risk Assessment|
|IA||Identification & Authentication||SA||Security Assessment|
|IR||Incident Response||SC||System & Communications Protection|
|MA||Maintenance||SI||System & Information Integrity|
The deadline to comply was December 31, 2017, but what if you’re not in compliance? To start, there’s currently no fine or penalty for noncompliance, nor is there any certification required to prove compliance. With that being said, there are consequences for non-compliance.
As with other provisions in a federal contract, if the contract contains an applicable regulation, the contractor has agreed that it is in compliance with all contract terms when signing the contract. If not compliant and without having submitted variance requests or plans of action to fix noncompliance, then a contractor could be in breach of contract, resulting in monetary damages or other possible adverse consequences.
Additionally, if the solicitation identified compliance with NIST 800-171 as an evaluation factor, then noncompliance, if discovered, could result in grounds for protest. Another possible consequence includes criminal fraud; if a company claims to be in compliance knowing they are not, that misrepresentation of facts is seen as a criminal act. The other possibility is contract termination due to failure to uphold contract agreements. This could cost organizations millions in lost revenue with the federal government.
Late last month NIST released its updated final public draft, NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. NIST also released two additional resources to help contractors in their compliance initiative; templates for contractor system security plans (SSPs) and plans for actions and milestones (POAMs). Under the basic security requirements of NIST 800-171, these documents are a requirement as part of a contractor’s system security assessment.
NNT’s Change Tracker™ product maps directly to 9 of the 14 security control families. To better understand what those controls are and where an organization might effectively start, see below for a detailed breakdown of how NNT solutions can help you address each requirement.
Read the article on the National Law Review