Menu
Get Support
Book Discovery Session

Contractors for the Department of Defense (DoD) and other Government agencies must protect sensitive information from ever-increasing cybersecurity threats. Doing so requires implementing advanced cybersecurity solutions and following mandatory compliance requirements.

Contractors need clarity on what constitutes the minimum effective cybersecurity to protect Government data. The National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171 solves for this by identifying critical security best practices. The DoD and much of the Federal Government have aligned with NIST SP 800-171 as a unified set of best practices expected for contractors to promote good cyber hygiene and safeguard sensitive information.

123456

What Is NIST SP 800-171?

Established in 1901, the National Institute of Standards and Technology (NIST) is a Federal government agency within the U.S. Department of Commerce that has created thousands of standards and special publications. Its mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."

Who Does NIST SP 800-171 Apply To?

The list keeps growing. Currently, NIST SP 800-171 is a contractual requirement for the information systems of any non-federal entity (i.e., contractors, vendors, suppliers) that processes, stores, transmits, or protects Controlled Unclassified Information (CUI) for the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). Clauses requiring NIST SP 800-171 can also appear in other Federal government contracts. In late 2021 or early 2022, the government is expected to release a CUI Rule in the Federal Acquisition Regulation (FAR) that will require NIST SP 800-171 for all Federal government contracts involving CUI.

123456

What Is CUI?

Controlled Unclassified Information (CUI) is unclassified information belonging to the Federal government that is sensitive and therefore needs safeguarding.

There are numerous categories of CUI, including:

  • Electronic files
  • Emails
  • Email attachments
  • Proprietary information
  • Designs and specifications
  • Paper documents

So what kind of information would be considered sensitive but not be classified?

An example might be the specifications for a part used in military aircraft production. While unclassified and seemingly insignificant on its own compared to classified information on a weapons system, information like specifications can enable foreign adversaries to engage in industrial espionage and learn highly sensitive information about the overall design of the aircraft.

Why Does CUI Need Safeguarding?

According to a New York University study released in 2017, approximately nine million people work for the Federal government, 40% of whom are private contractors responsible for safeguarding CUI. Like nearly every business, they are under the constant threat of a data breach.

From massive data breaches at Marriott in 2018 and Equifax in 2017 to the 2013 Yahoo! breach that involved three billion users, the scale and severity of cyberattacks have escalated over the past decade. With these increases comes an influx of notable breaches involving DoD contractors.

2009 F-35 Joint Strike Fighter Breach

In 2009, China's aggressive cyberespionage program was suspected to be behind the breach of unclassified yet sensitive data for the F-35 Joint Strike Fighter Program from a sub-contractor of Lockheed Martin.

The Pentagon analysis reported to Congress after the incident suggested that unclassified information on the design and electronic systems of the plane were obtained by hackers and were expected to advance the design and production capabilities of our adversaries, reducing the United States' lead time by years.

In 2011, China unveiled the J-20 stealth fighter jet. In 2013, China introduced the J-31 stealth fighter jet. Both have uncanny similarities to the F-35.


2015 OPM Employee Information

In 2015, the Office of Personnel Management discovered the theft of background investigation records on 21.5 million current, former, and prospective Federal employees, contractors, and their spouses / partners.

This included Social Security Numbers, 5.6 million fingerprints, usernames, passwords, interview findings from investigators, and sensitive personal information provided on detailed application forms.

passports

 

While Federal information systems are regulated by NIST SP 800-53, until NIST SP 800-171 there were no such standards for commercial contractors that support the DoD and other Government agencies. Cyber attackers were targeting sub-contractors and even the smallest manufacturers and suppliers, hoping to steal information or find a path from smaller businesses' computer systems to those of the larger contractors. Small and Medium-sized businesses (SMBs) are targeted because they typically allocate a smaller budget to cybersecurity and data protection.

Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) help smaller businesses that cannot afford to invest millions of dollars per year into their own teams and infrastructure to leverage Information Technology (IT), Cybersecurity, and Compliance expertise, resources, and the economies of scale of having these services provided by a dedicated company. Leveraging an MSP and MSSP enables compliance with NIST SP 800-171 and levels the playing field in protecting your business from cyber adversaries.

123456

Implementing NIST SP 800-171

The NIST Cybersecurity Framework (CSF) introduces a set of five core activities to manage and reduce cybersecurity risk:

Cybersecurity Framework

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. 

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

NIST SP 800-171 came from a combination of the minimum security requirements in Federal Information Processing Standard (FIPS) 200 and the Moderate protection level in NIST SP 800-53. It contains administrative and technical requirements within 110 controls organized by the following 14 control families:

  • 3.1 Access Control (AC)
  • 3.2 Awareness and Training (AT)
  • 3.3 Audit and Accountability (AU)
  • 3.4 Configuration Management (CM)
  • 3.5 Identification and Authentication (IA)
  • 3.6 Incident Response (IR)
  • 3.7 Maintenance (MA)
  • 3.8 Media Protection (MP)
  • 3.9 Personnel Security (PS)
  • 3.10 Physical Protection (PE)
  • 3.11 Risk Assessment (RA)
  • 3.12 Security Assessment (CA)
  • 3.13 System and Communications Protection (SC)
  • 3.14 System and Information Integrity (SI)

The following chart shows a breakdown of the NIST 800-171 controls and their requirements:

Implementing NIST SP 800-171

While many of these controls require third-party products and secure configuration of an IT environment, it is essential to note that not all of the requirements can be implemented with technology. Many of the controls require documentation of policy, process, and procedures. Some controls address physical security, personnel security, security awareness, and security training. Therefore, be wary of companies claiming "compliance-in-a-box" where their technical solutions and workarounds will somehow achieve compliance. Technical solutions and workarounds alone will not achieve compliance.

Like many things government, the security controls can be confusing. Our guide, NIST SP 800-171 Controls Explained, uses simple and direct language to describe the overall meaning for each of the 110 controls. To meet the requirements of the 110 controls, a total of 320 objectives must be assessed in accordance with the official DoD Assessment Methodology and the NIST SP 800-171A assessment guide. Therefore, you will want to contact Cybersecurity compliance experts to get a proper assessment of your compliance and determine how to implement the most cost-effective and efficient solutions for your business.

NIST SP 800-171 Controls Explained

Don't Speak Government?
Here Are the Controls Simplified

View the Controls ›

123456

A Requirement, Not an Option

Due to the sensitivity of and persistent security risks to CUI, all Government contractors who work with this type of information must follow the NIST SP 800-171 controls.

All DoD contracts that may involve CUI now contain clauses and verbiage that mandate cybersecurity compliance, such as the Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7012/7019/7020 that require compliance with NIST SP 800-171. Sub-contractors, vendors, and suppliers that may not contract directly with DoD or may not even handle CUI are often still required by Prime contractors to meet compliance requirements. This is because contracts require "flow-down" of the compliance mandates from the Prime contractor to all other participants.

Contractors, sub-contractors, vendors, and suppliers that bid or work on DoD / Federal contracts with compliance requirements are now being asked to attest that they are compliant. They must do so in an accurate manner, having met the requirements correctly and in good faith. Businesses are at risk if they guess at their compliance rather than using qualified Cybersecurity compliance professionals. Misrepresentation of compliance to the Government is a violation of the False Claims Act and may result in penalties including:

  • Loss of contracts
  • Loss of ability to bid on future contracts
  • Fines
  • Criminal charges
Therefore, we strongly recommend working with qualified Cybersecurity compliance professionals before making any attestation of compliance to the Government, a Prime contractor, or another contractor.

As of February 2018,

around 8% of commercial contractors reported a data breach at least one time since 2016. In many of those cases, there were multiple breaches. That means personal information for nearly 300,000 employees was compromised.


Supplier Performance Risk System (SPRS) and the DFARS Interim Rule

In September 2020, DoD released the DFARS Interim Rule to DFARS Clause 252.204-7012 that also created clauses 252.204-7019, 252.204-7020, and 252.204-7021. Effective November 2020, the Interim Rule requires all DoD contractors with the clauses in their contracts or renewals to conduct a Self-Assessment ("Basic Assessment") and submit a calculated Summary Level Score ("SPRS Score") of compliance with NIST SP 800-171 to the DoD SPRS website.

Each SPRS Score is associated with the Commercial and Government Entity (CAGE) Codes that contractors use to do business with the government and the names of the relevant IT systems used to support those contracts. The score is calculated according to the official DoD Assessment Methodology for NIST SP 800-171 that requires the compliance assessment be performed per the NIST SP 800-171A assessment guide. Peerless provides a completely free tool to calculate an accurate SPRS score from a proper assessment of compliance.

Cybersecurity Maturity Model Certification (CMMC)

DoD audits of contractor self-assessments and investigations of contractor cybersecurity incidents revealed the failure of self-assessments to ensure that contractors truly met the NIST SP 800-171 compliance requirements necessary to protect CUI. The DoD also perceived shortcomings in NIST SP 800-171. Therefore, they decided they would create a new CMMC standard and certification framework built directly upon NIST SP 800-171 and borrowing maturity concepts from the industry Capability Maturity Model Integration (CMMI) framework.

The DFARS Interim Rule of September 2020 described CMMC and created DFARS Clause 252.204-7012 to begin its implementation in a phased five-year rollout to contractors and the CMMC Third-Party Assessor Organizations (C3PAOs) that will conduct official CMMC assessments against those contractors.

In the next few years, all DoD contractors will become responsible for varying degrees of CMMC compliance. 

CMMC Level 1 will be needed for contractors that may handle Federal Contract Information (FCI) but don't have CUI compliance requirements.

CMMC Level 2 is not expected to be needed, but can be used by contractors to demonstrate increased compliance over CMMC Level 1.

CMMC Level 3 and its accompanying maturity processes will be needed for contractors with CUI compliance requirements.

CMMC Level 4, Level 5, and their accompanying maturity processes will initially be required by DoD for only a handful of designated high-risk contractors out of the estimated 100,000+ subject to CMMC Level 3 compliance.

Peerless recommends contractors with CUI requirements prepare for CMMC in the following order:

  1. Fully implement the 110 NIST SP 800-171 controls to achieve a perfect SPRS Score.
  2. Fully implement the additional 20 CMMC Level 3 (CMMC L3) practices.
  3. Fully implement the 49 CMMC Maturity Level 3 (CMMC ML3) maturity processes.

CMMC is changing quickly as the DoD determines how to implement and enforce it over the next few years. It is important to prepare for CMMC now given the time, investment, and operational impact of its extensive requirements. Peerless keeps on the pulse of CMMC as it evolves and can help you navigate the ins and outs of compliance. Our teams ensure that you're fully prepared and equipped to tackle CMMC, NIST SP 800-171, and other regulations — making the best business decisions for your organization's current and future compliance needs.

NIST 800-171 Compliance Webinar

Learn Why NIST 800-171 Is Critical for DoD Contractors

123456

Getting Started with NIST SP 800-171

Becoming NIST compliant is a journey, and maintaining that compliance is an ongoing process. You must continuously assess, design, deploy, and manage your systems. Doing this means:

  • Assess your current security controls
  • Design required changes within your systems
  • Deploy those changes and enforce your new policies
  • Manage your systems continuously

The required documentation for NIST SP 800-171 compliance consists of: a

  • System Security Plan (SSP)
  • Plan of Action and Milestones (POA&M/POAM)
  • Policies, processes, and procedures required by controls
  • Evidence of the control implementation, such as screenshots, reports, and ledgers

SSP_POAM_Bubbles

The SSP describes each system and how controls are implemented, while the POA&M lists any missing control requirements and deficiencies in the control implementation.

As part of a Gap Assessment / Gap Analysis of your current compliance, Peerless will create a brand new System Security Plan (SSP), Plan of Action and Milestones (POA&M). Peerless will also calculate an accurate SPRS Score of your compliance for reporting to DoD / Government. Additionally, we provide IT, Cybersecurity, and Compliance expertise and solutions to help you make the most correct and cost-effective decisions for your organization's current, short-term, and long-term business needs. Peerless is a complete IT Managed Services Providers (MSP) and Managed Security Services Provider (MSSP), providing everything from Help Desk Support to full IT and Cybersecurity outsourcing.

123456

5 Tips: Preparing
for a NIST Assessment

icon-warning

What should you do if there's a potential Cybersecurity incident?

Follow official policy, contract requirements, and reporting procedures.

DoD contractors must report security incidents within 72 hours to the Prime Contractor and https://dibnet.dod.mil/portal/intranet.

Identify any information that may have been lost or compromised as well as any computers, data, or accounts that may have been affected.

A professional assessment creates a strong foundation to guide your NIST 800-171 compliance plans. Very importantly, it provides more accurate results and helps prevent misunderstanding or misrepresentation of your compliance to the Government against requirements that are often complex and require expert interpretation.

A good assessment will evaluate all the compliance requirements, determine which are being sufficiently met, determine which are not being met, and provide remediation recommendations/solutions to achieve full compliance. For DoD contractors, a professional assessment is especially recommended to help ensure an accurate SPRS Score is reported for contracts.

It's essential to have senior management involved and ready to work together before, during, and after your compliance assessment. Before the assessment, you should:

  1. Determine which employees need to be involved. Compliance requirements affect policies, configuration, software, hardware, and day-to-day operations. While not every employee will need to be involved in an assessment, it is likely that some of your management team and your lead technical staff will be involved.
  2. Identify your current security documentation. Identify and compile all of your organization's security-relevant policies, processes, procedures, and related documents. This includes Employee Handbooks and other common documents that employees must follow to ensure a secure and compliant organization.
  3. Determine your current and future compliance requirements. Look at the compliance requirements of the industries you work with, any existing contracts, and any future business that you are considering. Pay special attention to the type and sensitivity of the information you are or will be handling and the laws, regulations, contract clauses, and business requirements associated with them. Note that Controlled Unclassified Information (CUI) may include many different categories ("CUI Specified") with specific, additional protection requirements beyond un-categorized CUI ("CUI Basic"). It is highly recommended to work with compliance experts like those at Peerless to gain a full understanding of compliance requirements.
  4. Collect materials for the assessment team. Whether running an assessment in-house or through an outside company, you should compile all assessment materials before the process begins. These include policies, procedures, plans, designs, records, manuals, information system documentation, and contractual requirements.
  5. Establish time frames for completing assessments. Put realistic due dates on when each piece of your assessment will be completed. Stick to your timeline throughout the process.

The Benefits of Professional Guidance and Solutions

Because contractors were once able to self-verify compliance, many believed they could navigate the entire compliance process alone. The result was often highly inaccurate, leading to a false impression of compliance and (even worse) leaving the organization more vulnerable to cyber-attacks and security incidents. Now contractors must attest to compliance on their contracts and they're facing warnings of formal audits in the future. With the increasing complexity of frequently evolving compliance requirements, the spotlight on data sensitivity such as CUI, and the seriousness of a potential security breach, it has become critical to work alongside a partner like Peerless with expertise in compliance.

Achieving (and maintaining) NIST compliance is an extensive and continuous process. A compliance expert will guide you through both the implementation of the standards and continued compliance. A compliance expert backed by a team of Cybersecurity and IT specialists will also be able to custom design the best solutions to meet your current and future compliance needs in the most efficient and cost-effective way possible.

Implementing Compliance

  • Assessing your current environment
  • Generating your initial SSP, POA&M, and SPRS Score
  • Designing the required system and policy changes
  • Deploying effective solutions

Continuing Compliance

  • Re-assessing your environment when it changes
  • Updating the SSP, POA&M, and SPRS Score
  • Implementing changes as needs and technology evolves
  • Operating and maintaining a secure, compliant IT environment
  • Conducting regular system audits

The risk and repercussions of a cybersecurity attack, failing to qualify for contracts, or being found in breach of contract are too severe for your business to tackle NIST and CMMC compliance alone.

Consult with an expert to protect your business, your employees, and the sensitive data you work with every day.

Need Help With NIST?
Get Compliant in as Few as 30 Days

Work With Us ›

Need Help With NIST?