Now that April is here, we are nine months away from NIST 800-171 compliance for defense contractors. As the deadline approaches, it will become more difficult to implement the controls in a cost-effective way that actually offsets risk. If your organization hasn’t already started, further delays will impact your ability to think carefully about what you need and how to do it.
NIST 800-171 Checklist and Step-by-Step Instructions
If you haven’t started yet, here is your NIST 800-171 Checklist. Every organization is different, so step by step instructions to achieve DFARS compliance won’t flow exactly the same way, but the starting point is always understanding where CDI is stored, processed, and transmitted.
First, evaluate your contracts to ensure that you fully understand all the clauses. Although DFARS 252.204-7012 is required in all contracts for the DoD, there may be additional clauses with specific security requirements. Contracts with Federal agencies contain FAR 52.204-21 (which provides a very basic set of requirements), so be especially watchful when reviewing those contracts.
Next, understand what CDI is, how it maps to the CUI Registry and how it is handled within your organization. This is also a good time to conduct a risk assessment. You’ll need a baseline of risk to make decisions on implementing controls, and you also need to define your accreditation boundary.
Now it’s time to conduct a gap assessment. This is a brutally honest evaluation of which controls are implemented, identifying those that may be partially implemented and controls that are not being done. All the information from the previous steps will help here with interpreting the meaning of the controls, and applying NIST 800-171 in a way that is effective for your organization’s risk profile.
Once your gap assessment is complete, your organization is ready to start closing gaps. While this seems straightforward, many of the requirements can be complex and costly to implement especially on a large scale.
What are the NIST 800-171 Requirements?
In short, there are 14 sections broken down into 110 required controls. The sections cover risk management and computer security principles that should be familiar to anyone working in information technology:
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
Will there be a DFARS deadline extension?
Just like the Magic 8 ball, signs point to no. The DFARS clause has been in contracts since 2013 and includes provisions for reporting non-compliance and adjudicating controls that have not been fully implemented by the December 2017 deadline. In fact, the December 2017 deadline is already an extension, granted on December 30, 2015.
What is the penalty for non-compliance?
Penalties already exist for not complying with acquisition clauses including action under the False Claims Act, negative past performance ratings, lower award fee scores, and termination for default. By signing a contract and submitting an invoice, your organization agrees to comply with all clauses in the contract.
We can help. Contact us today to identify your way ahead.