The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 requires Department of Defense (DoD) contractors to have implemented National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as of December 31, 2017.

The purpose of this requirement is to ensure that the contractor is adequately protecting Controlled Unclassified Information (CUI), which is still sensitive even though it isn’t classified information. 

Contractors that are unable to meet the requirements of NIST 800-171 are in a difficult position, as they face removal from the list of approved DoD vendors and service providers. 

This outcome can prevent contractors from receiving awards for new contracts or even completing their existing contracts.

Most small and medium-sized businesses (SMBs) in the DoD supply chain, or Defense Industrial Base (DIB), should consider hiring a NIST 800-171 consultant. 

Implementing these measures often encounters challenges in obtaining the necessary time and money. 

SMBs typically lack the resources and expertise in cybersecurity needed to implement these solutions themselves, but the expertise that NIST 800-171 consulting offers can help guide contractors through the compliance process efficiently.

Consultants in charge of managing a NIST 800-171 compliance program should be able to show their current status and develop a strategic plan for closing any security gaps. 

Cuick Trac works closely with our customers to make this process as clear and simple as possible. 

Defense contractors can rely on our Cuick Trac solution to remain compliant with NIST requirements, allowing them to keep existing contracts and obtain new ones. 

If you have questions about  hiring a NIST compliance consultant for your company, contact us online or schedule a free 30-minute demo with one of our NIST experts today!

What is NIST 800-171?

NIST 800-171 is a set of rules that contractors and suppliers to the federal government must follow if they store, process, or transmit CUI. These requirements have evolved considerably since they went into effect, generally becoming more strict and specific.

For example, the most recent changes require the DoD to evaluate a contractor’s compliance with NIST SP 800-171 before awarding a contract.

The validation of compliance is another change that greatly affects DoD contractors. Previously, contractors could validate their own compliance, but a third party may be required to perform this task. A variety of factors contributed to this change, including the generally increasing connection between business interactions and information flow as well as several high-profile breaches of critical government information.

The DoD has rolled out a more rigorous validation method of NIST 800-171 based on the Cybersecurity Maturity Model Certification (CMMC), which requires validation by a CMMC Third-Party Assessor Organization (C3PAO). CMMC was initiated as an interim rule, alongside Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, on September 29, 2020.

However, the release of CMMC 2.0 on November 4, 2021, returned the focus of CMMC back to mostly NIST SP 800-171. CMMC will shortly become an absolute requirement to bid on DoD requests for proposals (RFPs) and receive contracts as it evolves The strong correlation that NIST SP 800-171 compliance now has with CMMC makes it even more important to DoD contractors.

What is CMMC?

CMMC is a unified framework created for government contractors that enforces cybersecurity standards for the DIB. The DoD developed it in response to increasing concerns over the ability of DIB contractors to protect CUI. CMMC compliance consists of three maturity levels that reflect the strength of a contractor’s information security posture. 

Each level includes the processes and practices from the level below it in addition to processes and practices that are new for that level. This hierarchical structure means that a contractor must meet the requirements for a particular maturity level before it can qualify for the next highest level.

Differences between CMMC and NIST 800-171

The DFARS general rule allows the DoD to establish CMMC’s importance in its contracts more firmly. It further specifies the security standards for contractors handling CUI, although CMMC is still largely based on NIST 800-171 in most cases. In addition, contractors can still obtain guidance from DFARS clause 252.204-7012 on self-assessing, monitoring and reporting on their security until CMMC is more widely enforced. 

Furthermore, DFARS 252.204-7019 requires contractors to submit a self-assessment score to the Supplier Performance Risk System (SPRS).

DIB contractors must meet all 110 security controls in NIST SP 800-171 or develop a Plan of Actions and Milestones (POAM) describing their plan for doing so. A POAM includes the specific measures that a contractor will take to correct security deficiencies identified by a security risk assessment. It must also describe the actions the contractor must take to obtain the resources those tasks will require.

The use of C3PAOs to perform independent assessments is one of the most significant changes in CMMC, as NIST 800-171 allowed contractors to conduct their own assessments. 

In particular, C3PAOs won’t accept non-compliance with security requirements, whereas it was acceptable under NIST 800-171 as long as contractors used their POAM to close their security gaps. CMMC also adds 20 new security controls to the ones already in NIST 800-171.

NIST SP 800-171 and CMMC mandates will continue to coexist until the DoD completes its deployment of CMMC, which is currently expected to occur in 2026. The number of contractors subject to CMMC will gradually increase during this period, as the number of contractors subject only to NIST 800-171 decreases.

Who does NIST 800-171 apply to?

NIST SP 800-171 is a contractual requirement applicable to any non-federal entity that processes, stores, transmits, or protects CUI for the DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). Non-federal entities can include prime contractors, their subcontractors, vendors, and suppliers.

The requirement for NIST 800-171 to protect CUI specifically applies when CUI resides on a non-federal information system, even when the contracting organization doesn’t use or operate that system. NIST 800-171 also applies when there are no overriding requirements for protecting CUI, whether in authorizing law, government policy, or regulation.

NIST 800-171 also applies to all components of non-federal information systems that handle CUI in addition to those that provide security protection for those components. 

A non-federal information system is one that doesn’t meet the criteria for a federal system, which is any information system used or operated by an executive agency, a contractor of such an executive agency, or any other organization on behalf of an executive agency

Steps to Becoming NIST 800-171 Compliant

The following six steps will assist your organization in becoming NIST 800-171 compliant:

• Identify CUI
• Categorize CUI
• Implement controls to encrypt files
• Train employees
• Monitor data
• Conduct a security assessment

These steps ensure that both your business processes and information systems comply with NIST 800-171, thus protecting your CUI. A consultant specializing in NIST 800-171 compliance can help you complete these steps.

1. Identify CUI

Identifying the systems and applications that handle CUI is the first step in implementing NIST 800-171 controls. Once you’ve completed this task, you can focus on the security of each component. The specific components that handle CUI vary greatly by the system, but they often include the following:

• Local storage solutions
• Cloud storage solutions
• Endpoints
• Portable devices

2. Categorize CUI

Once you’ve identified the systems and applications that store CUI, split the data they handle into CUI and non-CUI categories. This step helps reduce the time needed to secure CUI. It’s important to keep all data secure, but NIST 800-171 compliance requires you to give higher priority to the most sensitive data.

In particular, the security audit needed to obtain CMMC requires your organization to demonstrate that CUI is protected. You can then implement additional measures needed to protect non-CUI data at a later time.

3. Implement controls to encrypt files

Implement the controls needed to encrypt your files once you’ve identified and separated the CUI from the rest of your data. NIST 800-171 requires CUI to be encrypted, whether your system is storing or transmitting it. These controls help ensure that unauthorized users are unable to access CUI. 

Encryption is particularly important for file-sharing systems, which allow other users to remotely access files. These systems require additional measures such as a secure file-sharing solution that allows administrators to specify the users who can read, edit and move files.

4. Train employees

Training employees on the proper use of CUI is the next step in NIST 800-171 compliance after implementing the controls needed to protect this type of data. This step is especially important for employees who routinely handle CUI. 

Training isn’t a one-time matter when it comes to implementing NIST 800-171 control. While a contractor should inform employees about these compliance requirements when they’re initially hired, it’s also essential to provide ongoing training at regular intervals. 

Excuses like “I didn’t know” or “I forgot” during an audit won’t help your company avoid a fine for noncompliance. It’s also important to properly communicate changes in compliance processes to ensure employee practices remain aligned with those processes.

5. Monitor data

Monitoring the data on your systems tells you who is accessing your CUI and their progress for doing so. Implementing these controls requires a solution that can maintain a log of user activities. NIST 800-171 compliance requires the ability to trace each action back to the originating user. Administrators should create procedures for monitoring that are appropriate for the company and oversee these processes.

6. Conduct a security assessment

Conduct a security assessment once you’ve implemented all NIST 800-171 controls. This assessment should closely examine all systems and processes for noncompliance issues. NIST 800-171 requires contractors to perform these assessments on a regular basis, typically quarterly or annually.

Regular assessments help ensure that the current processes continue to provide adequate protection of CUI. It’s especially important to conduct another assessment after implementing system changes. Periodic assessments also minimize the threat posed by new methods of attack by malicious actors.

Why hire a NIST 800-171 consultant?

Under the emerging CMMC, defense contractors who handle CUI now have far more accountability and responsibility, than they did under just DFARS 252.204-7012. Although self-assessing is still required, while some CMMC requirements will only require a form of self-certifying, 3rd party audits will become more and more frequent within the Defense Industrial Base.

A defense contractor needs to know, with accuracy and confidence, what their security posture looks like today, using NIST 800-171 as the baseline. Regardless of what happens with the CMMC, the DoD is putting more pressure and focus on independent, 3rd party assessments.

Assessments that require a 3rd party can be conducted by the DoD, using the Defense Contracting Management Agency’s (DCMA’s) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessors, or by a CMMC C3PAO (once authorized, available and required).

The goal under CMMC, is for all contractors to choose what level of CMMC they want to achieve and certify that they meet those requirements. Those requirements include NIST 800-171 for those subject to DFARS 252.204-7012, because they receive, process or store CUI.

In the December 2021, the DoD introduced a new DFARS interim rule, which technically has nothing to do with CMMC, but does require contractors to assess themselves using the DoD’s Assessment Methodology and NIST 800-171A. Contractors are then required to identify their score and enter the score into the Supplier Performance Risk System (SPRS), which allows the government to have access to the score.

The contractor’s assessment score is based on its NIST 800-171 implementation, according to the contractor’s system security plan (SSP), meaning the SSP must be complete before conducting the assessment. Contractors are also required to select a date in which they plan to have NIST 800-171 fully implemented, resulting in a perfect score of 110.

Consultants that specialize in NIST 800-171 can assist in the process of implementing the CMMC framework, to prepare correctly for an eventual 3rd party audit or review. Consultants helping contractors prepare for an audit, using their audit experience and expertise, can save enormous amounts of costs and resources down the road.

 Learning of non-compliant during an audit, is far more impactful to an organization’s bottom line, than identifying gaps earlier in the process and implementing a strategic plan correctly.

Specific tasks that NIST consultants can perform include a detailed risk assessment, gap assessment, controls effectiveness reviews, and documentation review. They can also advise on the development of SSPs, POAMs and responsibility matrices. In addition, NIST consultants can help with implementing and documenting NIST 800-171 controls accurately.

Cuick Trac has NIST consultants that are well-versed in the latest CMMC regulations, DFARS compliance requirements and other emerging cyber requirements impacting the DIB. 

They help to address your concerns in these areas and help you understand the gaps in your security posture.

Summary

DFARS 252.204-7012 has required DoD contractors to implement NIST 800-171 since 2018. Contractors that fail to do so risk losing their approved vendor status, risking the loss of contracts in addition to ineligibility for new contracts. Additional consequences of noncompliance with NIST 800-171 include fines and the loss of reputation.

SMBs that belong to the DIB will typically benefit from hiring a consultant with expertise in NIST 800-171 and DoD cyber defense. Typically, contractors of the DoD, usually lack the expertise and resources in cybersecurity needed to develop and implement their own solutions for complying with these cybersecurity requirements. 

Consultants that specialize in NIST 800-171 have the knowledge and experience needed to implement the necessary solutions more quickly, accurately and at a lower cost.

The Cuick Trac provides NIST compliance consulting services that work closely with our customers to make NIST 800-171 compliance as easy as possible. Our solution helps DoD contractors, small business, and federal agencies maintain the CMMC maturity level required by their current contracts while keeping them eligible for future work. 

Contact us today to schedule your free demo of Cuick Trac and learn more about how we can help you comply with NIST 800-171.