Before 2010, the federal government had a patchwork approach to protecting controlled unclassified information (CUI). Each group had its own ad hoc, agency-specific policies and procedures, leading to confusion, inconsistency and inefficiency. In November 2010, the White House issued Executive Order 13556, establishing an open and uniform standard for safeguarding CUI across civilian and defense agencies.
National Institute of Standards and Technology (NIST) Special Publication 800-171 was issued in 2015 to establish similar guidelines for nonfederal agencies. It is designed to ensure that defense contractors follow security standards and best practices for protecting CUI that is stored, processed or transmitted using nonfederal computer systems.
In simple terms, many organizations that want to do business with the federal government must meet the requirements of NIST 800-171. It was published as part of the Defense Federal Acquisition Regulation Supplements (DFARS), applying not only to prime contractors but to all organizations in their supply chains.
What Are the NIST 800-171 Requirements?
The Federal Acquisition Regulation (FAR) is a broad framework covering the award and management of government guidelines. While FAR applies to all federal agencies, DFARS also incorporates provisions to meet the specific requirements of Department of Defense (DoD) procurement. It covers classified information and matters related to national security and lays out stringent cybersecurity requirements.
NIST 800-171 is a fundamental component of DFARS compliance. It includes 110 controls separated into 14 categories across 320 assessment objectives. Security protocols cover hardware and software configurations, access controls, audit trails, security training and more.
In addition to mandating specific controls for protecting CUI, it emphasizes a risk-based approach to security. Organizations must assess their environments to identify potential risks and take steps to mitigate those risks. They must also develop a System Security Plan that includes the technical and policy details for implementing each of the 110 controls, and a Correcting Action Plan for closing any gaps between the SSP and the current environment.
What Is the CMMC Framework?
Supply chain partners serving in the Defense Industrial Base must also achieve Cybersecurity Maturity Model Certification (CMMC), with verification by a third-party auditor. The CMMC is a framework of cybersecurity best practices developed from multiple standards, reference models and specifications. These include NIST 800-172, a supplement to NIST 800-171.
CMMC builds upon DFARS with 61 additional practices across a five-level maturity model. It is designed to ensure that federal contractors and subcontractors have security controls that align with the potential risk associated with the contract award.
All DoD suppliers must achieve CMMC Level 1 certification, which includes the 15 basic safeguards specified in the FAR. Level 2 is designed for contractors handling CUI, such as network configuration documentation and military equipment specifications. It requires that organizations not only implement the mandated security controls but establish maturity processes.
Is It Worth the Investment?
Achieving DFARS, NIST 800-171 and CMMC compliance can be expensive, but it’s an investment that pays big dividends. It qualifies your organization to participate in the DoD supply chain and provides competitive advantages. It also strengthens your overall security posture, reducing the risk of a costly cyberattack.
The first step is to perform a readiness assessment and identify any gaps. In addition to documenting existing security policies and controls, organizations should conduct vulnerability scans and penetration tests to detect weaknesses that could pose a potential threat. Organizations should then develop a plan for achieving compliance, recognizing that the CMMC maturity levels are cumulative.
It’s also important to develop the right partnerships. Verteks has expertise in cybersecurity and understands these requirements. We can help you assess your current environment and ensure that all the required security controls are in place.
Protecting CUI has been a focus of the DoD since 2010. By complying with NIST 800-171 and DFARS, organizations can demonstrate their ability to safeguard sensitive data and gain the credentials needed to participate in the DoD supply chain. Contact Verteks to get started.