Top 10 Mistakes in Implementing the NIST 800-171 Cybersecurity Requirements

Businesses supporting the U.S. Department of Defense work have 10 weeks left to fully comply with the cybersecurity provisions of the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and associated clauses. At Sera-Brynn, we’ve been advising clients on the DFARS and NIST requirements since 2014, and we’ve seen mistakes from companies of all sizes and levels of sophistication. Here are the top 10 most common ones.

Mistake #1: Expecting the deadline to be extended. The December 31, 2017 deadline is not expected to be extended. The August 2015 revision was the first to require implementation of NIST 800-171, but this rule has been in effect in various forms since November of 2013, which means defense contractors have already had nearly four years to address security of covered information.

Mistake #2: Implementing technology without evaluating business process. Some of the NIST 800-171 controls can be met with technology solutions. Many can be met with process or policy solutions, and a significant number will require both. Effective technology, based on an assessment of risk and technology, won’t improve overall security unless it is properly applied at the right place and right time.

Mistake #3: Not naming names. Sometimes, when a security responsibility is not assigned to a specific person in the organization by name, the job just doesn’t get done. We see that security controls are often unmet in companies because everyone assumes someone else is doing it.

Mistake #4: Bad documentation. Companies routinely fail to include enough detail in the Plan of Action and Milestones (“POA&M”) and the System Security Plan (“SSP”) or don’t maintain them once they’ve been created. Both of these plans are required by the NIST 800-171 controls. The POA&M should identify gaps in the implementation of all 110 controls, assign a specific person or role in the organization as the one responsible for implementation or maintenance, and include concrete ways to remediate the identified gaps with an expected completion date. The SSP is the comprehensive document that outlines how information system and controlled information are protected.

Mistake #5: Failing to flow the DFARS clause down the supply chain. The DFARS clause includes a mandatory flow-down clause to subcontractors. Why? In the Defense Industrial Base, vendors in the supply chain are a recognized vulnerability. The workplace today includes constant coordination with vendors and customers through emails, exchange of data, and document sharing, creating an opportunity for cyber attack. If a subcontractor is not secure, it’s your problem too, and the law addresses this.

Mistake #6: The Incident Response Plan is … lacking. Common shortfalls include not having enough information gathered upfront and not having the reporting procedure in place before an incident occurs. When the clock is ticking after an incident occurs or is discovered, this is key to meeting the reporting requirements.

Mistake #7: Forgetting about cloud services being used. Email systems, SaaS, backups and other cloud-based databases that house your data may trigger DFARS clauses specific to cloud service providers. A CSP storing or processing controlled information needs to be FedRAMP-authorized or the equivalent. Moving data to the cloud is not a release from responsibility.

Mistake #8: Not properly scoping the environment. Along with identifying Covered Defense Information, and all other data types that trigger legal obligations, companies need to take a hard look at where the data resides, where it flows, and who has access to it. Ask questions. Are the personnel who operate 100% of the time on a government site within scope? Are the personal devices of personnel working remotely within scope? What about emails to parent companies, holding companies, sister companies, vendors, law firms, accounting firms, and the like? To what extent is a managed service provider at issue? What data is being created in support of the project and where does this reside? These are the kinds of questions that will begin to help scope how and where to implement the NIST controls.

Mistake #9: Not understanding the adjudication process. There is a process to inform the government if security controls are not being met or if alternate but equal security measures are in place. The adjudication process varies depending on whether the request is related to NIST controls or the DFARS clause itself.

Mistake #10: Assuming the organization doesn’t have CUI. While the CUI Registry markings are not widely used yet, controlled information can be found in everything from technical drawings to contract language. CUI categories are broad and include everything from personally identifiable information to export-controlled information. And even if you don’t have CUI on your network, some provisions of the clauses may still apply.

Sera-Brynn has been performing independent third-party assessments under DFARs since 2014. We can help with a path to compliance. Contact us today.


Heather Engel is Sera-Brynn’s Chief Strategy Officer and an expert in federal compliance frameworks, including 800-171 and the RMF.

Colleen H. Johnson is Sera-Brynn’s senior cyber legal analyst.  She can be reached at reached at

For more information on Sera-Brynn, visit: