If you’re a contractor working within the Defense Industrial Base (DIB) that handles Controlled Unclassified Information (CUI), you need to safeguard it. Not only is protecting CUI paramount to national security, but if you have the DFARS 252.204-7012 clause in your contract, then you are contractually obligated to protect Covered Defense Information (CDI), which includes CUI. You must comply with NIST SP 800-171 today. In the near future, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) will require every contractor that processes, stores or transmits CUI to pass a third-party assessment to validate their compliance.
But how do you become compliant? As a manufacturer or service provider in the DoD supply chain, your focus is on your immediate business operations and generating revenue, not necessarily the details of Information Technology (IT) or cybersecurity. If you’re a large enough company, perhaps you have an extensive IT department that could handle the implementation of all the NIST 800-171 requirements. Or perhaps you’re a smaller company where most employees wear many hats, which makes the self-implementation very resource-intensive. This could result in an interruption in business operations and possibly additional infrastructure expenses.
A third-party service provider could be your best path for implementing NIST 800-171 and achieving CMMC compliance. However, it’s not just a matter of finding an External Service Provider (ESP) such as a Managed Service Provider (MSP) or a Managed Security Services Provider (MSSP) that can provide a CUI enclave. You also must know and understand their responsibility, and yours, when it comes to compliance. This is where you and your service provider need a Shared Responsibility Matrix to determine who is responsible for each of the 320 assessment objectives of the NIST 800-171A.
Let’s say you’re a small manufacturer with the DFARS 252.204-7012 clause in your defense contract. You then realize that you neither have the time, expertise, nor infrastructure to accommodate protecting CUI yourself. Therefore, you reach out to a third-party provider to outsource what’s needed to have a compliant environment, such as a CUI enclave.
Does that mean you, as a client, have no responsibility in fulfilling the requirements of NIST 800-171? The answer is no. You, along with your service provider, will be responsible for fulfilling all of the 320 assessment objectives. The Shared Responsibility Matrix (SRM), which dictates who is responsible for each objective, becomes critical. It divides responsibilities between clients and providers and is agreed upon by both parties.
The SRM must consist of three important aspects:
- It should be reflected in the provider-to-client contract.
- It should be clear who is responsible for which objective.
- It should be broken down to the granular, detailed level – the objective level. A red flag on a service provider would be if the SRM only gave the responsibility at the requirement level, which doesn’t give an accurate representation of your or the service provider’s responsibility.
As stated above, the SRM gives you clear guidance on who is responsible for each objective. However, that isn’t the only reason why you need it to comply with NIST 800-171 and CMMC. As a government contractor, you need to be able to provide evidence that you’re satisfying every assessment objective. But what if you go through an MSP, service provider, outside service, or third party to protect CUI? How can these partners provide that evidence?
The answer comes from the SRM. While you have responsibility for providing proof that you’ve met your assessment objectives, the service provider will need to provide proof on their end if they get audited. This means that you will not have to provide evidence for fulfilling a particular NIST 800-171 assessment objective because your provider is assuming responsibility for that objective. As the client, you would inherit that compliance from your service provider while they would be required to provide proof during their own assessment.
For example, during an assessment, an assessor will ask for evidence on how you meet the control/practice AU.L2-3.3.1 on system auditing. In the CMMC Assessment Guide, this objective states:
“Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.”
If you were using a service provider for protecting CUI, they might be the ones responsible for meeting this objective. As long as they have informed you that this objective is met through them, you as a client can claim the same through inheritance. You can direct that assessor to your service provider for evidence.
When it comes to MSPs or third-party services that offer solutions to protect CUI for defense contractors, where does the responsibility begin and end between the service provider and the client? The answer to that question lives in scope.
Scope refers to anything (people, places, and things) that would be included in an assessment. Determining your scope is incredibly important to an assessment because it reduces what needs to be assessed. You don’t need your entire business assessed against NIST 800-171 or CMMC if only a small portion of it handles defense contracts. It is determining the scope that lets an assessor know which portions of your company fall under the assessment.
Once you’ve determined what is in scope for an assessment, you can then chart out responsibility between you and your service provider, which becomes the SRM.
The SRM will provide valuable information for creating the System Security Plan, or SSP. According to NIST SP 800-171 3.12.4, you must provide a document (the SSP) that details information on scope and how you’re implementing those requirements. Part of that implementation would be who is accountable and who is responsible for each objective. Without the Share Responsibility Matrix, your SSP wouldn’t have accurate information, leading you to be responsible for all objectives even if you had a service provider.
Service providers can help many businesses in the DIB comply with NIST 800-171 and CMMC requirements. Many government contractors don’t have the in-house resources and abilities to interpret and implement all the requirements. Working with an outside service to implement a compliant solution can be cost-effective and relieve a large portion of the burdens of the DFARS 252.204-7012.
Our CUI enclave solution called Cuick Trac helps ensure you remain compliant with NIST 800-171 and CMMC. Through Cuick Trac, we will give you a Shared Responsibility Matrix detailing what objectives we’re responsible for fulfilling. Contact us today for a demo.