By Kathryn Daily, CISSP, RDRP
If you heard a whooshing sound on New Year’s Eve, that was probably the deadline for compliance with NIST 171 flying by. A lot of you might be asking “What is NIST 171?” NIST 171 is a set of requirements documented in the NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).
NIST 800-171 contains 110 security requirements, in 14 families, that all contractors and subcontractors are required to implement on contractor-owned, and contractor-operated IT systems (e.g., a contractor receiving and processing DoD information on their own corporate network) containing Controlled Unclassified Information (CUI). CUI is a broad category encompassing many different types of sensitive, but not classified, information. For example, personally identifiable information (PII) such as health documents, proprietary material and information related to legal proceedings would all count as CUI. It is also important to reiterate NIST 800- 171 does not apply to contractors providing support to government-owned IT systems.
While many are incorrectly under the impression that they are required to be fully compliant with all 110 requirements, the reality is that one simply needs to have done an initial assessment of the security requirements and have developed a System Security Plan (SSP) and a Plan of Actions and Milestones (POA&M). The POA&M will provide a roadmap for the organization to become fully compliant.
Many contractors were previously tasked with going through the Risk Management Framework process because previously there wasn’t a standard for contractors. With the advent of NIST 171, this could actually reduce your workload as RMF was developed for federal agencies and many of the RMF requirements are not easily met by contractors.
Some notable differences between RMF and NIST 171 are no requirement for an authorization to operate (ATO) or even the presence of an Authorizing Official (AO). Although eliminating ATO’s and AO’s are a huge benefit from a time resource perspective, it raises some concern for the accountability of NIST 171 implementation. With no AO requirement, the burden of verifying NIST 171 compliance would fall on the contracting officer who may or may not have a baseline understanding of cybersecurity.
While DFARS contracts don’t specify what happens to companies that aren’t fully in compliance, each non-compliant company is supposed to notify the Department of Defense compliance personnel and receive permission, however, many won’t. Sooner or later, it is likely that audits and proof of compliance will follow with actual contract penalties or default for those who don’t comply. What may happen in the nearer term is that primes will enforce proof of compliance and security audits on subs to ensure their own compliance. If nothing else, non-compliant organizations are unlikely to win new business so it’s extremely important to get on board with NIST 171 sooner rather than later.