NIST 800-171 Compliance Updates – self-attestation is no longer enough.
Thanks to our IT Compliance Specialist, Lisa Burgarella, for the great information in this post.
It’s been more than a year since Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 went into effect, requiring defense contractors and subcontractors to adopt specific measures to protect sensitive defense information and report cyber-incidents. Effective December 2017, the clause calls for compliance with 110 information security requirements contained in the National Institute of Standards and Technology (NIST) Special Publication 800-171. It also requires contractors and subcontractors to report cyber-incidents within 72 hours of occurrence, and to provide forensic evidence, as requested, to support investigation and corrective action.
When the clause was first published, defense contractors simply had to attest to their compliance during the contracting process. The Pentagon has made it clear through this NIST 800-171 compliance update, however, that self-attestation is no longer sufficient. DoD Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord, issued a memo in late January stating that the Defense Contract and Management Agency (DCMA) will oversee compliance with DFARS 7012/NIST 800-171 for all contracts they administer, including a review of contractor purchasing systems used to ensure that subcontractors are fully compliant. In other words, prime contractors’ processes for reviewing subcontractor compliance are going to be scrutinized by the DCMA and will be a factor in contract award. The memo also states that contracts not administered by the DCMA (such as Navy shipbuilding contracts) will undergo a similar review.
Review of contractor procurement processes is one of a number of steps being taken by the DoD to address compliance across the entire supply chain. DoD CIO Dana Deasy has noted that the Pentagon is worried about compliance breakdowns at lower level suppliers. And Assistant Secretary of Defense for Acquisition, Kevin Fahey, has stated that the Pentagon is developing a plan to use third parties to audit and certify contractors and subcontractors.
All of which points to a need for defense contractors, regardless of size or position in the supply chain, to be ready for audit by having an accurate NIST 800-171 assessment completed, a System Security Plan (SSP) documented, and Plan of Action and Milestones (POA&M) developed to achieve full compliance in a reasonable timeframe.
The above NIST 800-171 compliance updates are examples of how these requirements and controls are becoming increasingly important to your business. TC Engine can guide you through the process of complying with these regulatory requirements. Additionally, our specialists can integrate trade controls into your System Security Plan (SSP) and Plan of Action & Milestone (POA&M). Easily contact us below to get started today!