Have (or Want) Federal Contracts?  What You Need to Know About DFARS 252.204-7012/NIST 800-171

You’ve probably heard about the recent SolarWinds hack, which exposed a tremendous amount of government and corporate data to Russian hackers.  While the scale was shocking, the hack itself was not. Foreign countries are constantly looking for sensitive US government information, especially defense-related information – and private contractors are a major source of that information.

NIST 800-171

That’s why the Defense Department requires both prime contractors and their subcontractors to have safeguards in place to prevent theft of defense-related information.  In typical government fashion, this regulation is named DFARS 252.204-7000, and it requires compliance with another document called NIST 800-171. This requirement doesn’t only apply to prime contractors – anyone with DoD-related revenue is required to meet the requirements for any “Controlled Unclassified Information” they create or store.  So if you (or a customer of yours) are receiving revenue from the Department of Defense, you can probably expect to receive a questionnaire on your company’s NIST 800-171 compliance whenever the contract comes up for renewal.

What is NIST 800-171?

The newest revision of the requirements was released early last year by the National Institutes of Standards and Technology. There were minor changes in the introductory chapters, but fortunately no significant changes to the requirements.  There are 14 categories of security requirements, ranging from physical security (who has physical access to the computers containing CUI?) to Incident Response (how will you detect a breach, and what’s your containment strategy?).

Unfortunately, you can’t just write some thoughtful responses to a questionnaire to be compliant.  Compliance requires process documentation, employee training, and an audit process that detects and documents each time that the mandated process wasn’t followed.

When the Department of Defense audits a contractor, they’ll want to see the logs where instances of noncompliance are documented (for both prime and subcontractors).  What they don’t want to see is a contractor stating that they were 100% compliant.  The Department of Defense knows that if there’s no log, there’s probably no compliance.

How Can I Get Compliant?

Since these are cybersecurity guidelines, your in-house IT team or IT Service Provider should be able to help you with this.  Some of the technical aspects required for compliance may be included in a typical Managed Service contract, such as Access Controls and Maintenance, but those items would need to be well-documented by policies and procedures in order to be considered compliance measures.  Others, such as System and Information Integrity, may require services that aren’t included in a basic Managed Service Contract but can be added to ensure you can continue doing business with the government and with government contractors.

Just make sure that your team is giving you an honest, complete picture of what you’ll need to do in order to maintain compliance rather than trying to paper over shortcomings. Improperly certifying compliance becomes very expensive if you’re audited!

Give us a call at 919-460-7011 to learn how we help our clients with NIST 800-171 compliance so they can continue having access to this major revenue source.