NIST 171 Compliance: The NIST Special Publication 171 series, (DFARS) 7012, and Cybersecurity Maturity Model Certification – Regulating Protected Controlled Unclassified Information
Suppose you are a nonfederal service provider whose offering might involve handling Controlled Unclassified Information (CUI). Up till now, it might not have been an issue. Still, suddenly either your Government Contract Management Officer or an upstream distributor for one of your products has informed you that your contracts and work orders won’t move forward till your offering is listed in the DoD Supplier Performance Review System as having passed NIST 171. Now what?
This paper explains what you need to know about the NIST SP 800-171 Assessment Methodology and its use in demonstrating adequate security as detailed in the recently updated DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. [i]
Whether, for example, you manufacture a Cloud Product,[ii] or you develop software or architect any part of the environment that enables those products, you would most certainly want your offering to be listed with the Government Services Administration[iii] with access to GSA’s 30+ Billion dollar Federal Market Place.[iv] Among the many Agencies of the Federal Government, the Department of Defense (DoD) is the largest, having oversight to all contractors and acquisitions. All suppliers will engage in the DoD NIST 800-171 Assessment. Let’s talk about why that is and what that means.
There are misperceptions about what types of products and services present sufficient risk to mandate their participation in DoD NIST SP 800-171 Assessment Methodology. There are exceptions for COTS products, but DoD Cybersecurity Activities regulation has long established that “cyber threats to contractor unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests.”[v] In other words, even when that information is unclassified, the breach of information causes significant harm and therefore must be that information must be controlled and protected.
Suppose you’ve already started a NIST 800-171 Compliance process. In that case, you likely know, depending on the scope of the data you might handle and the Federal v. Non-Federal Networks over which that data is transferred or stored, that earning a contract for your custom-built goods and services has become significantly more complicated. Before acquisition and throughout its use, any product or service used to process, store, or transmit Protected Controlled Unclassified Information (CUI) is subject to The Interim Defense Federal Acquisition Regulation Supplement (DFARS) Rule, 2019-D041Requirements. [ Assessing Contractor Implementation of Cybersecurity Requirements. [vi]
In short, DFARS Rule 2019-D041 means that US Federal Agencies cannot award your contract unless you’ve met with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and have validated that assessment either by a Self-Reported, Supplier Performance Risk System (SPRS) score, or, as certified by a DoD accredited assessor (third party) using the prescribed Cybersecurity Maturity Model Certification (CMMC) Framework. [vii]