NIST 800-171 Services for DoD Contractors
In an ever-changing compliance landscape, it’s easy to lose sight of where we started, where we are today, and how we got here. The story of compliance around Controlled Unclassified Information (CUI) began in 2015 when the National Institute of Standards and Technology (NIST) published NIST 800-171. Since then, additional regulations such as DFARS, and CMMC have entered the equation and expanded upon this original framework. Given the dynamic nature of compliance in government contracting, it is crucial for organizations to adopt a holistic approach. To understand the foundation upon which current compliance standards are built, it is imperative to delve into NIST 800-171.
What is NIST 800-171?
How is NIST 800-171 Assessed?
Who needs to follow NIST 800-171?
Simply put, organizations handling CUI must adhere to NIST 800-171 requirements. This includes both prime and subcontractors working for the Department of Defense (DoD), research institutions receiving federal grants, and organizations that store, handle, or process CUI for federal agencies. Organizations can confirm their handling of CUI by carefully examining their government contracts for specific clauses and by checking for a CUI designation block. This block is a physical part of the government document that will include key information such as the issuing agency, the category of CUI within, and dissemination controls.
According to the DCSA, “CUI shall be identified in the issuing DD254, Request for Quote (RFQ), Request for Proposal (RFP), and or supporting contract documentation when they exist. For existing contracted efforts, Industry should review current contracts and engage with Government Contracting Activity (GCA) to determine which, if any, CUI requirements are applicable to current contracts and the appropriate way forward.” Today, NIST 800-171 holds significant importance for several reasons.
Shielding the Pentagon
This framework aims to protect the Pentagon’s supply chain and the sensitive data that they handle.
Required by Law
Its mandates were codified into law through the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which was implemented on December 31, 2017.
Prerequisite for CMMC
The controls outlined in NIST 800-171 are required for DoD contractors falling under Cybersecurity Maturity Model Certification (CMMC) level 2.
The Path to SPRS 110
Organizations can implement an in-house plan to reach SPRS 110 or partner with a third party such as IsI to help guide them through this process. The following steps will need to be followed:
The NIST website has documents available for download to help provide insight on the 110 controls required.
This will help you understand your current level of compliance as it pertains to NIST 800-171 requirements.
Following your self-assessment, you will need to identify where your current security controls are falling short.
You will outline your path for addressing these gaps, including specific actions to be taken, a timeline, and the necessary resources required.
Your organization will implement the actions outlined in step 4 to reach compliance.
Continue to monitor your compliance initiatives to ensure you stay up to date with current requirements. NIST 800-171 has undergone several revisions since its initial release, with the latest iteration being Revision 3.
The IsI Experience
When you partner with IsI, you’ll be getting far more than simple NIST consulting. Our NIST compliance services include a team of experts who live and breathe NIST 800-171. Reaching an SPRS score of 110 is not an overnight process, but with IsI at your side, we will greatly reduce the administrative burden that accompanies this initiative. Our team specializes in cybersecurity tool deployment, evidence gathering, gap assessment/analysis, the development of POA&M, GCC Data migration, and much more. Once we help your organization reach compliance, by deploying our NIST solution, our continued management will provide you with:
- IT, compliance, and cybersecurity support
- An annual NIST 800-171 assessment
- Cybersecurity training/testing
- Bi-annual business reviews