NIST 800-171 – 12/31/2017 – Less than 90 days until the deadline!
Contracted information systems not part of an IT service or system operated on behalf of the Government must adhere to the following requirements:
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
. . . the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Non Federal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. . .
Controlled Unclassified Information is defined as information related to ‘the performance of the contract” that the DoD provides to the contractor or which the contractor acquires in support of the contract. This requirement drastically impacts the number of systems considered to be in-scope of a gap assessment. System information covered can be grouped into four categories;
Export-controlled information, technologies like nuclear or biochemical information.
Controlled Technical Information with military or space application subject to controls.
OpSec information that an adversary could use to guarantee failure.
Any additional information specifically identified in the contract
NIST SP 800-171 outlines the basic safeguarding requirements that must be implemented. The publication includes 14 control families with more than 100 individual controls. Contractors who own or operate information systems that process, store, or transmit federal contract information need to ensure their security implementation provides sufficient protection against a range of cyberattacks.
Gap assessments should be completed to determine what controls are not implemented and a roadmap and IT Security plan should be developed to remediate identified gaps. Implementing these security controls is a first step to becoming compliant and can be quite a big undertaking for small and medium-size businesses.
Critical Path Security can help.
Being out of compliance leaves you in breach of contract and subject to criminal, civil, administrative, and contractual actions. Penalties, damages, and other appropriate remedies will be pursued by the United States.