Since 2017, any federal contractor working in association with the Department of Defense (DoD) is required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting Unclassified Information in Nonfederal Information Systems and Organizations.
While the deadline for compliance is long overdue for any contractor working with the DoD prior to 2017, new businesses may find the many requirements of SP 800-171 confusing. In this article, we’ll give you the rundown on this important regulation, and why compliance is essential for any federal partner.
Supplement to the FAR Rules
Federal Acquisition Regulation (FAR) rules were created to keep agencies accountable when procuring services or resources with government dollars. FAR covers everything from the terms of business relationships to “basic security controls” for government contractors, and violating these rules is a serious offense.
Until three years ago, FAR was lagging behind new technology in terms of security controls. With a new cybersecurity clause added in 2016, NIST SP 800-171 was created as a supplemental regulation, with the official title ‘Defense Federal Acquisition Regulation Supplement (DFARS), which now serves as the contractor’s standard for protecting digital assets.
Protecting Controlled Unclassified Information (CUI)
With a narrower focus than its parent regulation, DFARS outlines strict rules for systems that handle sensitive information and data not meriting a “classified” designation. So-called controlled unclassified information (CUI) is broad in scope, encompassing almost any data – scientific, financial, or operational – exchanged in the course of a government contract.
In practice, this means that DFARS will apply to almost any non-federal organization working with the DoD in any context, unless otherwise specified, requiring them to implement a strict System Security Plan (SSP) for all systems handling CUI in the course of contract work.
An SSP devised under DFARS will have to meet requirements ranging from security controls to incident response and physical protection. Importantly, organizations will be expected to:
- Implement rigorous access controls – system access will require suitably strong authentication along with role-based permissions to block unauthorized users.
- Conduct risk and security assessments – organizations are required to undergo periodic risk and security assessments to determine and remediate areas of weakness.
- Train personnel for compliance – an organization will be held responsible for training its own personnel and anyone using its systems to observe security protocol and prevent risk.
- Undergo audits and submit reports – the DoD is serious about DFARS compliance. Organizations will have to undergo audits and submit detailed reports on their activities, systems and SSPs. Violations can result in fines or prosecutions.
Scope of Systems
Under DFARS, any system involved in the transmission or storage of CUI must be protected. This includes:
- Email systems
- Content management platforms (CMPs)
- Cloud-based storage
- Project collaboration tools; and much more.
To comply with NIST SP 800-171, contractors must take inventory of any and all systems within their organization through which CUI will pass even once.
Understanding the Importance of DFARS
At first glance, the level of effort required to comply with DFARS may seem excessive. But today, it’s more important than ever for federal contractors to understand the value of information.
Under the International Traffic in Arms Regulations (ITAR), CUI is carefully regulated alongside military technology, arms and services exported to foreign nations. There’s a good reason for this; in the past decade, the U.S. has come under a slurry of cyberattacks from around the world targeting critical infrastructure and federal IT.
The world’s best hackers are strategic and know how to use seemingly benign resources to compromise systems and access further intelligence that can be used to subvert national security. Compliance with DFARS is one way to ensure that no cracks open in the public sector leaving critical assets vulnerable.
Securicon Can Help
To become NIST SP 800-171 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!