If you’re not already DFARS 252.204-7012 and NIST 800-171 compliant, NOW is the time to get started to avoid losing current and future Federal contracts. It’s not too late.
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 has been the buzz of the defense contracting world over the last few months. While it became a final rule in 2016, companies have just now begun to feel pressure to comply with it.
You may have received communications from your customers or have seen announcements from the Government mandating self-attestation of compliance with DFARS 252.204-7012 through the Supplier Performance Risk System (SPRS).
At this point, you may be asking yourself - what is DFARS 252.204-7012? What are the requirements and how do I comply with them? What are the risks of noncompliance?
Below is a series of frequently asked questions on DFARS.
What is DFARS 252.204-7012?
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is a flow-down that obligates United States Department of Defense (DoD) prime contractors to ensure their operations and supply chains meet NIST SP 800-171. All covered contractor information systems not operated on behalf of the government were required to implement security requirements outlined in NIST SP 800-171 no later than December 31, 2017; customer and DoD audits are already happening. To meet these requirements, obligated companies must demonstrate acceptance of the DFARS 252.204-7012 by subcontractors and suppliers and that adequate due diligence was performed.
What is NIST SP 800-171?
NIST 800-171 is short for National Institute of Standards and Technology Special Publication 800-171. This publication was developed after the Federal Information Security Management Act (FISMA) of 2003, making necessary changes to the cybersecurity framework.
Complying with NIST 800-171 is a requirement for all DoD contractors or anyone in their supply chain. Not adhering to it doesn’t just mean you’re practicing poor cybersecurity methods; it means you risk losing out on current and future contracts.
The deadline for compliance with NIST 800-171 was December 31, 2017.
As a result of Executive Order 13556, NIST began working on standards for non-federal agencies that handle Controlled Unclassified Information (CUI). Essentially, it's complementary to NIST 800-53. The resulting work is NIST 800-171, which outlines security standards for contractors and subcontractors, and other non-federal organizations that transmit, process, or store CUI as part of their working relationships with federal agencies.
NIST 800-171 outlines five core cybersecurity areas; identify, protect, detect, respond, and recover. These core areas serve as a framework for developing an information security program that protects CUI and mitigates cyber risks.
NIST 800-171 has 110 security controls corresponding to 14 primary areas ranging from access control to system and information integrity. Within the 110 security controls, there are 320 control objectives that are to be met in order to become compliant.
Who Needs To Be DFARS 7012 & NIST 800-171 Compliant?
NIST SP 800-171 is a contractual requirement for the information systems of any non-federal entity (i.e. contractors, vendors, suppliers) that processes, stores, transmits, or protects Controlled Unclassified Information (CUI) for the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). Due to the sensitivity of and persistent security risks to CUI, all Government contractors who work with this type of information must follow the NIST SP 800-171 controls. Sub-contractors, vendors, and suppliers that may not contract directly with DoD or may not even handle CUI are often still required by Prime contractors to meet compliance requirements.
Where To Start With Your NIST 800-171 Compliance?
It’s recommended that you retain the help of a DFARS / NIST 800-171 Consultant to guide you through this complicated process or hiring a Managed Security Service Provider (MSSP).
Here are some basic steps to take to become DFARS / NIST 800-171 compliant and to remain compliant in the future:
- Assessing your current environment
- Generating your initial SSP, POA&M, and SPRS Score
- Submitting that score, SSP, and POA&Ms to the SPRS
- Policies & procedures templates are available if needed
- Designing the required system and policy changes
- Deploying effective solutions
- Re-assessing your environment when it changes
- Updating the SSP, POA&M, and SPRS Score
- Implementing changes as needs and technology evolves
- Operating and maintaining a secure, compliant IT environment
- Conducting regular system audits
You score a NIST 800-171 Basic Assessment on a 110-point scale. Each of the 110 controls in NIST 800-171 is assigned a “weighted subtractor” value. If you implement a control, you get a certain number of points with a 110 as a perfect score whereas the score could be as low as -203.
Every company regardless of size or maturity will start out with a score of 110. But, by the time you complete your Assessment or Gap Analysis, your score will be reduced by a number of points based on the importance of the control.
What Is A Realistic Basic NIST 800-171 Score?
Your first (Basic) Assessment score will almost certainly not be a perfect score of 110 points. In fact, I have never seen a perfect score of 110 for anyone’s basic assessment score. Submitting a perfect score for your basic score submission to the SPRS could be viewed as a huge red flag.
Here are some realistic approximate basic scores that are based on your network’s maturity:
- (75 - 95) Well structured, spent time and money on DFARS-7012 compliance
- (35 - 65) Some technology implementations, weak policy enforcement
- (0 - 25) One overworked IT employee, lack of IT deployment
- (-40) Ignoring compliance requirements or issues
- (-150) No vulnerability patching, no monitoring, no Active Directory structure
A low score or even a negative score is not a bad thing when submitting your basic score. It allows you to see which controls have yet to be implemented. POA&Ms (Plan of Action with Milestones) will be used to record and track the noncompliant items. When submitting your basic score, you will also need to provide a planned completion date for all remediations and implementations. Having a SSP (System Security Plan) is an absolute must before submitting your score to SPRS. Not having a SSP is a showstopper.
Do Not Inflate Your Score, Or Else…
This is serious business. Be 100% truthful and accurate with your score. We have helped companies that in the past have self-attested and submitted a perfect score of 110 to the SPRS. This was to show they were compliant, which they were not. This became a red flag for the DoD and for prime contractors flowing work down to subcontractors within their supply chain; especially with no evidence to back up that score. Because they submitted an inflated score, it ended up costing one of these companies several existing major contracts from a very large DoD contractor. They also are not being considered for future contracts until this is corrected and they provide evidence and documentation of their compliance to back it up. They’re still not compliant.
Remember, you can be audited at any time by the DoD or by your customer, who may or may not be a prime contractor for the DoD. Be prepared….
Misrepresentation of compliance to the Government is a violation of the False Claims Act and may result in penalties including:
- Loss of contracts
- Loss of ability to bid on future contracts
- Criminal charges
Budgeting For NIST 800-171 / CMMC Compliance
For small to medium sized businesses (SMBs), management can be reluctant to spend money on cybersecurity and for all the DFARS / NIST 800-171 requirements, but this would be a tactical error in judgment on their part. In order for SMBs to remain competitive and be awarded DoD contracts, DFARS / NIST 800-171 compliance is not a choice. Plan ahead. This is not going away.
A budgeting conversation needs to take place that may include:
- The services of a NIST 800-171 Consultant that will guide you through this process
- A team of employees from the IT department along with representatives from several departments
- Other services, hardware, and software needed to become compliant.
Is Financial Assistance Available for Compliance?
Cost sharing is an option that may be available to a heat treater? There are cost saving measures for multiple customers in various states, that cover a certain percentage majority of the cost, if not all the cost, associated with this critical project. So, there’s no excuse to not comply.
Article provided by Joe Coleman, Cyber Security Office for Bluestreak Consulting. Bluestreak is an Associate Member of MTI. For more information on the content of this article, you may contact Joe Coleman at firstname.lastname@example.org or visit www.go-bluestreak.com.