If you are reading this, the December 31st, 2017 deadline to implement NIST 800-171 has passed! Does that mean all Department of Defense (DoD) contractors are now compliant? If not, where should they go from here and what are the consequences of non-compliance?
Last year, the DoD awarded an estimated $18.2 billion1 in contracts through its 36 federal accounts to companies that provide goods and services. Further, approximately $7.8 billion was awarded to research universities.1 Both groups are subject to NIST 800-171 compliance. With this large volume of revenue at stake, contractors and universities must diligently comply with NIST 800-171 to preserve their piece of the contract pie.
Unfortunately, there are a number of challenges in addressing compliance and the risks of not becoming compliant, which include loss of contracts, censure, or possible disbarment. According to KPMG’s Director of Cyber Security, John Kupcinski, compliance mandates will only continue to grow. The DOD issued draft rules2 in April that will allow agencies to assess “controls not implemented” and the relative risk of hosting Controlled Unclassified Information (CUI)/ Covered Defense Information (CDI) on contractor systems. Ultimately this guidance is intended to help agencies manage their vendor risk and could impact who new procurements are issued to as well as instruct how to maintain existing contracts.
Mr. Kupcinski also noted that civilian agencies are not far behind the DoD. The NIST 800-171 requirement has been seen in a number of RFPs issued over the past year. Additionally, the General Services Administration’s (GSA) regulatory agenda released in January3 included a plan to formalize cybersecurity rules for its government contractors. This anticipated rule will impact a significant number of government contractors. In 2016, 18,313 entities held GSA Schedules and received over $45 billion from government agencies.4
As universities look to deliver on research, the 800-171 compliance process can seem daunting. It’s important to start with a data mapping exercise says Mr. Kupcinski. “Understanding what contracts with your university require 800-171 compliance is an imperative first step”. If there is any doubt, contact the contracting officer (CO) to confirm access to CUI/CDI.
Once in-scope contracts are identified, it’s important to understand how CUI/CDI is transferred, stored, processed, and destroyed as it relates to these contracts. This will allow officials to pinpoint which systems will require the NIST controls. In NIST SP 800-171, the security requirements of the framework are organized in fourteen “families” (See Table 1).5
|Security Requirement Families|
|Access Control||Media Production|
|Awareness & Training||Personnel Security|
|Audit & Accountability||Physical Protection|
|Configuration Management||Risk Assessment|
|Identification & Authentication||Security Assessment|
|Incident Response||System & Communications Protections|
|Maintentance||System & Information Integrity|
Ultimately, a successful 800-171 program has several characteristics:
- Understand what contracts require CUI/CDI
- Identify what systems are used to store, process, transfer CUI
- Identify and engage with all stakeholders since implementing controls will take broad organizational buy-in
- Understand current security posture: developing a baseline will help articulate where control gaps are
- Prioritize remediation based upon risk
- Understand the requirements around continuous monitoring
Mr. Kupcinski is a Director in KPMG’s Cyber security practice where he helps clients understand how to align their cyber agenda with dynamic business and compliance priorities. Additionally he is an expert on NIST 800-171 and has spoken and written on this topic extensively. He can be reached at [email protected] if there are further questions on this topic.
1 As of September, 2017, reported by USASpending.gov: https://www.usaspending.gov/#/explorer/agency