The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 deadline has come and gone, but can your organization guarantee compliance? If not, the consequences for non-compliance will alarm you.

The Defense Federal Acquisition Regulation Supplement (DFARS) made NIST 800-171 mandatory for defense contractors who have the DFARS 252.204-7012 clause in any contract. NIST 800-171 was designed specifically for the protection of Controlled Unclassified Information residing in non-federal information systems- those in use to support private enterprises.

The requirements are mapped out across fourteen security control families, many of which were adopted from NIST 800-53. Each category highlights how an assessor could examine, interview, or test each particular control at issue.

 

                  NIST 800-171 Security Control Families
AC Access Control MP Media Protection
AU Audit and Accountability PP Physical Protection
AT Awareness and Training PS Personnel Security
CM Configuration Management RA Risk Assessment
IA Identification & Authentication SA Security Assessment
IR Incident Response SC System & Communications Protection
MA Maintenance SI System & Information Integrity

 

The deadline to comply was December 31, 2017, but what if you’re not in compliance? To start, there’s currently no fine or penalty for noncompliance, nor is there any certification required to prove compliance. With that being said, there are consequences for non-compliance.

As with other provisions in a federal contract, if the contract contains an applicable regulation, the contractor has agreed that it is in compliance with all contract terms when signing the contract. If not compliant and without having submitted variance requests or plans of action to fix noncompliance, then a contractor could be in breach of contract, resulting in monetary damages or other possible adverse consequences.

Additionally, if the solicitation identified compliance with NIST 800-171 as an evaluation factor, then noncompliance, if discovered, could result in grounds for protest. Another possible consequence includes criminal fraud; if a company claims to be in compliance knowing they are not, that misrepresentation of facts is seen as a criminal act. The other possibility is contract termination due to failure to uphold contract agreements. This could cost organizations millions in lost revenue with the federal government.  

Late last month NIST released its updated final public draft, NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. NIST also released two additional resources to help contractors in their compliance initiative; templates for contractor system security plans (SSPs) and plans for actions and milestones (POAMs). Under the basic security requirements of NIST 800-171, these documents are a requirement as part of a contractor’s system security assessment.

 

NNT’s Change Tracker™ product maps directly to 9 of the 14 security control families. To better understand what those controls are and where an organization might effectively start, see below for a detailed breakdown of how NNT solutions can help you address each requirement.

 

 

 

 Read the article on the National Law Review

 

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge
West Common
Harpenden
Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2018, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.