Your organization has until December 31, 2017 to implement NIST SP 800-171 if you have contracts with the United States Department of Defense (DoD) or are a subcontractor to a prime contractor with DoD contracts. This requirement is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS).
NIST 800-171 is complex in nature but there is no certification process involved. Similar to PCI DSS and HIPAA, NIST 800-171 compliance is based on the honor system. This means that "NIST 800-171" compliance involves self-attesting that your organization complies with all applicable requirements. Non-compliance of one or more subcontractors could lead to serious repercussions for prime contractors, meaning that NIST 800-171 needs to be taken very seriously.
A non-compliant contract with the U.S. Government could lead to...
- Contract Termination. Tthe U.S. Government will terminate contracts with prime contractors over noncompliance with NIST 800-171 requirements since it is a failure to uphold contract requirements.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is a misrepresentation of material facts, which is a criminal act.
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).
Noncompliance is significant and could have a huge impact on your organization's well being. It's important that you take and implement the right steps towards compliance with NIST 900-171. We've outlined three of those key steps below.
1. Define CUI As It Applies To Your Organization
Many prime contractors do not have clear guidance from contracting officers and this reality isn't going to change anytime soon. Being proactive about this situation can prove beneficial.
- Check your contract to see if CUI is defined.
- Based on your contract, review the CUI Registry for examples of CUI.
- Create a Memorandum for Record (MFR) that establishes your case for what you determine your CUI to be.
- If you are a subcontractor, provide that MFR to your prime contractor with a response deadline. For prime contractors, provide that MFR to your government contracting officer.
- Even if you don't get a response, you'll at least have evidence of due diligence where you took reasonable steps to define and seek clarification on your CUI.
2. Scope Your Network To Minimize Compliance
Once your CUI is defined, it's time to identify where it is stored, processed, and transmitted on your network(s).
- If you do not have comprehensive Data Flow Diagrams (DFDs), generate them specific to how CUI traverses your network.
- Now that you have DFDs, generate architectural network diagrams that document what network-based controls exist in your environment to protect CUI.
- With the DFD and network diagrams, you'll find ways to segment off the CUI environment to lower the scope of compliance to a small percentage.
- You may want to leverage similar concepts from PCI DSS compliance since organizations have saved significant time and money by minimizing the Cardholder Data Environment. The same can hold true for CUI data and complying with NIST 800-171.
3. Generate Evidence of Compliance
- After you know what your CUI is and where it is located, you need to go through Appendix D and E of NIST 800-171 to know which controls are applicable to your environment.
- There may be controls that are not applicable or only applicable to a small percentage of your network. This is where you need to generate documentation to explain how these controls are complied with or are not applicable to your situation.
- Some controls will be administrative in nature, such as having documented policies, standards, and procedures. Other controls require technology solutions. This is where you have to generate evidence that is specific to your organization.
- If you do want to engage a cybersecurity consultant, go through those requirements and address the “low hanging fruit” controls and document what your organization currently does, since most of the controls are not highly-technical or complex in nature. This will save you considerable consulting fees and will allow your consultant to focus on the more complicated questions that you have.
NIST 800-171 requirements will be enforced in a matter of months, if you are a contractor, it's important that you understand what type of regulations your organization will have to follow. Organizing and managing all of the requirements for NIST 800-171 can be automated using our cloud-based compliance solution, K2 Compliance.