Non-compliance with NIST 800-171 for government contractors can mean contract termination, criminal fraud or breach of contract. If your sub-contract work and the third-party isn’t compliant, you’re also liable. The Dec. 31, 2017, deadline is approaching to comply with NIST 800-171 as mandated in the Defense Federal Acquisition Regulation Supplement (DFARS).
Here’s a quick overview of what DFAR can mean to IT solution providers, and suggestions on how to meet the deadline.
Why does NIST 800-171 exist?
The DFAR requirement is in place to protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems. This requirement mandates liability and responsibility for all contractors and sub-contractors to safeguard and protect data to all components of information management systems.
What are the key requirements?
There are 14 areas of requirements outlined in the NIST special publication: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, system and communications protection, and system and information integrity.
Many of the items outlined above are something you’re most likely doing today, like authenticating identities of users accessing systems and ensuring personnel is trained to perform their duties effectively. These two areas, probably the most significant in terms of policy change for your current security posture, are mentioned explicitly in DFARS:
- Reporting for cyber incidents – contractors are required to report any cyber incidents within 72 hours of detection
- Review of cyber incidents – once an incident is identified and reported, contractors are required to conduct a review of the compromise including servers, data and user accounts
Steps to Compliance
While there’s no formal certification for the NIST 800-171 requirement, compliance is based on the honor system like PCI and HIPAA. The list of requirements spans five pages, which can be overwhelming to understand and figure out where to start on this journey. Here are a few tips to help you:
- Download a copy of NIST 800-171 here.
- Understand what CUI means to your organization. Set clear definitions, so you know what needs to be addressed.
- Complete a data audit. Know where CUI is stored, processed and transmitted throughout the network.
- Document your system of how data flows, formal policies and procedures.
For additional information, contact your Tech Data Government Solutions account rep. Connect with the team on Twitter @TechDataGov and LinkedIn “Tech Data Government Solutions.”