NIST

Contractor Compliance With NIST 800-171: It’s Supposed to Be Hard.

Kevin Keane
Vice President & General Counsel
This article is written based on CMMC version 1.02, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.
Dottie Hinson: It just got too hard.
Jimmy Dugan: It’s supposed to be hard. If it wasn’t hard, everyone would do it. The hard… is what makes it great.
– A League of Their Own, 1992

The deadline to comply with the DFARS requirements (December 31st, 2017) has come and gone. Defense contractors and by ‘flow-down’ extension, all defense sub-contractors were required to be in compliance with the DFARS 252.204-7012 regulation; and in order to safeguard controlled unclassified information (CUI), both prime and sub-contractors were required to implement the NIST SP800-171 cybersecurity standards (as updated and amended).

Easy? It’s Supposed to be Hard.

Defense contractors have to be able to show “adequate security” which it seems, using baseball analogy, some consultants feel is akin hitting for a .217 batting average: more misses than hits. One can find various firms advertising they offer easy compliance for defense contractors. Easy? It’s supposed to be hard.

It is understood that complying with NIST SP800-171, and its follow-along iterations, requires more than merely average, it really needs detailed attention to solid and maybe closer to great cyber-hygiene best practices.

Complying with 14 control families, under the standard and 110 different controls, is not easy. It’s hard. Protecting information vital to our national security is supposed to be hard.

Why is it so Hard?

Partly, it’s the complexity of the many controls. Partly, it’s the misinformation suggesting that just starting to become more secure is enough to grant permanent absolution from the DFARS cyber security mandate. Partly, it’s the truth that real cybersecurity takes time and deliberate effort.

The cuick trac™ hosted solution from was engineered to bring order to complexity. Most defense contractors who receive flow-down cybersecurity mandates, via the contract RFP’s, are not information security experts.

Cuick trac™ allows the smaller defense contractor to remain focused on their business, manufacturing high quality components and elements and parts that help defend the nation.

Cuick trac™ is affordable, scalable, and professionally vetted by a Certified Information Systems Security Professional (CISSP), who was trained by (and is still on call with) the US Navy. He knows that real information security is not easy, it’s hard.

“It just got too hard,” conveys a real feeling, but it’s not a good feeling.

Consider this: How would a defense contractor feel if they had to report to the Department of Defense (per the DFARS 252-204-7012 regulation,) that agents of a foreign power had somehow breached the contractor’s information systems and obtained gigabytes of data concerning sensitive but unclassified information?

How would the contractor feel if further contracts were denied as a result of an “easy” approach to real information security?

How would the breached contractor feel if an action under the Federal False Claims Act, was brought against the contractor for falsely averring that its information systems containing CUI were secure?

How would the breached contractor feel when considering the reality that losing its defense contracts could be the end of the business, and might severely hamper the contractor’s ability to provide for her or his own family, not to mention the families of her or his employees?

Compliance as a Utility.

The beauty of the cuick trac™, is that it takes the complexity of the NIST SP800-171 standard, as applied to defense contractors, and breaks it down in to four understandable realms, which we call: TRAC.

T – Training (user awareness training and education)
R – Risk Assessment
A – Administration (policy, procedure, on-going)
C – Controls (meeting requirements with security in mind)

Instead of being too hard, Information Security becomes a management tool, a marketing distinction, a point of pride as it relates to our collective national security. Let cuick trac™help.

Cuick trac™

Professionally engineered. Professionally vetted. Professionally monitored, 24/7.Defense contractors can manage their business, while cuick trac™ manages the security of their information systems.

Defense Contractors know they can rely on cuick trac™ to keep them compliant.


Cuick trac™ keeps a defense contractor in the major leagues, hitting for average, while securing, fulfilling and keeping contracts…not being sent down to the minors.

Cuick trac™ is the essential information systems utility. Robust, Reliable and the Right Solution for your defense contracting business.

Compliance as a Utility.

Kevin Keane
Vice President & General Counsel
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.
Part of the most relevant industry groups and committees

Get a 30-minute demo from a cuick trac™ product expert

You've made it this far, now let us show you why cuick trac™ will be the smartest decision you'll make this year.

Schedule a quick product tour
See how we can secure your CUI in less time, with less effort, and more features than any other DFARS compliance products in the market.