NIST Rules for Federal ContractorsJanuary 31, 2018
In 2015, the Department of Defense (DoD) contractors that handle sensitive DoD information were given extra time to comply with new department cybersecurity regulations. That grace period now is up, and companies must meet these requirements beginning in 2018.
On Aug. 26, 2015, DoD published a rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement security requirements specified by a National Institute of Standards and Technology Special Publication, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (NIST SP 800-171). NIST SP 800-171 focuses on minimum standards and best practices for fourteen “Security Requirement Families,” including access, incidence response, and assessments of information systems and security controls.
Specifically, NIST SP 800-171 provides a detailed list of basic and derived security requirements federal contractors need to employ to meet each of the standards. NIST 800-171 details adequate cybersecurity measures for each of 110 security requirements that should be adopted by defense contractors and subcontractors. On December 30, 2015, the DoD published an amended interim rule in the Federal Register that provided large and small contractors with more time to bring their companies into compliance with the DoD rule – bringing it to the Dec. 31, 2017 deadline.
Beginning on Jan. 1, 2018, contractors processing, storing, or transmitting controlled but unclassified information (CUI) must meet minimum security standards set out in the DFARS or risk losing their contracts. The NIST has a number of resources to help companies understand these requirements and assess their compliance. If all 110 security requirements are not fully implemented, a DoD contractor can comply with the deadline if it updates its System Security Plan to describe all implemented requirements and identifies those not fully implemented. For those security requirements not fully implemented, the contractor must have a Plan of Action setting forth the plan and schedule for adopting and fully implementing each security requirement not yet implemented. While the DoD does not provide explicit requirements for what these documents should look like, they do provide some guidance. The System Security Plan “requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.” Meanwhile, the Plan of Action should describe “how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when [contractors] will correct deficiencies and reduce or eliminate vulnerabilities in the system.” In preparing these documents, the DoD provides no single proscribed manner or process to follow. Instead, a reasonable first step may be for company personnel with knowledge of information system security practices to note what is in place, what needs to be added, and what needs to be changed or updated.
The NIST resources for contractors are provided through its Manufacturing Extension Partnership (MEP). MEP has developed a set of Frequently Asked Questions for small manufacturers to help them understand the DoD cybersecurity requirements, as well as a handbook to help small manufacturers in self-assessing compliance.
Contractors have 30 days from the awarding of a contract to report any security requirements not implemented at the time of award. Full compliance requires a process of continuous assessment, monitoring, and improvement. The handbook acknowledges that security control assessments can be challenging and resource intensive and will require cooperation throughout the company. Security assessments require:
- Understanding the company’s operations and how it is supported by IT,
- Understanding IT system architecture and the personnel supporting it,
- Access to policies and procedures and technical documentation, and
- Developing a clear understanding of security objectives.
For those not already in compliance with NIST 800-171, and without a System Security Plan or Plan of Action updated to reflect the most current version of NIST 800-171, there are a couple of potentially immediate consequences. First, these contractors may be barred from contracting with the government until they can show they are in compliance with or working to be compliant with NIST 800-171. Second, because these provisions flow down to subcontractors, subcontractors may receive calls from their business partners or suppliers asking if they are in compliance with NIST 800-171. Failure to comply, or an inability to produce an updated System Security Plan and Plan of Action, could result in the loss of these contracts, as well.
NSBA is concerned that that cost of compliance with DoD’s NIST 800 rule, as it poses a significant barrier to small businesses engaged in the federal acquisition process. Furthermore, the required overhead is quite extensive, costly and onerous on both prime contractors and subcontractors who will need to be compliant.