December 31, 2017 is deadline for contractors offering goods and services to the Defense Department to comply with with the National Institute of Standards and Technology (NIST) Special Publication 800-171. This publication defines the safeguards required to protect controlled unclassified information (CUI) in nonfederal Information Systems. The deadline was established in a 2016 amendment to the Defense Federal Acquisition Regulation Supplement (DFARS) in 2016 which amended clause 252.204-7012.
In a nutshell, the amendment requires contractors to provide adequate security for covered defense information processed, stored or transmitted on the contractor’s internal information systems or network. Thus the Department of Defense must mark or identify in its contracts the defense information it seeks to cover and the contractor must adequately protect that information by, at a minimum, implementing the controls set forth in NIST SP 800-171.
SP 800-171 is highly aligned to another NIST document, SP 800-53. Both documents have organized the controls by 14 families according to their underlying purpose and the family names are the same. Indeed, SP 800-171 has an appendix which crosswalks its controls to those of SP 800-53, but makes clear that the features of SP 800-53 are more robust than as required by SP 800-171. An organization that has all the identified controls of SP 800-53 would meet the requirements of SP 800-171, so this would be a valid alternative. Further, it may be prudent to implement a more robust set of controls, like those in SP 800-53, if these satisfy other regulatory requirements and because cybersecurity demands and threats seem to be increasing and SP 800-53 addresses other risks to an organization beyond those required to protect CUI. It may also be appropriate to implement SP 800-53 controls if the risks to CUI in your organization are greater than those faced by other defense contractors since the standards set forth in SP 800-171 are a floor for safeguarding CUI.
Organizations that contract with the Department of Defense and are obligated to comply with DFARS 252.204-7012 should review their contracts to define CUI and identify the information systems which hold the CUI. The organization should then, at a minimum, authorize policies that implement the controls required under SP 800-171 and ensure that they are applied to the information systems holding CUI.
Applying these controls will take a lot of effort. Further, companies are required to document that they are in compliance. If any requirements remain unimplemented by the December 31 deadline, the organization will need a plan of action to describe how those controls will be met and by what date. The plan must also describe any plans in place that will mitigate the risk while implementation takes place. The wording of DFARS 252.204-7012 establishes that by submitting an offer, the company is representing its compliance. So the burden is upon the contractor to notify the DoD of any variance from the requirements of SP 800-171 and have those approved by the DoD’s Chief Information Officer. Further, some solicitations may require evidence of an implemented security plan as part of any proposal to the DoD.
If your organization is in the process of implementing any of the requirements of SP 800-171 and believe that it will be difficult to meet the December 31 deadline, there is still time. Harris Beach has a robust cybersecurity practice and has partnered with technical service providers to help organizations meet their obligation to comply with DFARS.