How will you Keep Your DOD Contracts?
Before diving into this article, grab a pencil and paper. Jot down any questions that come to mind regarding compliance and your DOD contracts. Then, register for “Keep Your DOD Contracts,” a SEWN Webinar on June 15 with Black Bottle IT.
With the most recent ransomware breach of the Colonial oil and gas pipeline along with the JBS meat supplier attack, cybersecurity within our government and its supply chain is a pressing topic. The current administration has accelerated the compliance protocol. This fact was highlighted by the May 18th testimony of Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar before the Senate Armed Services Committee. The hearing was on “Cybersecurity of the Defense Industrial Base,” (DIB). Much of his testimony focused on securing Controlled Unclassified Information and American companies through compliance protocols such as the Cyber Security Maturity Model or CMMC. CMMC will be the new compliance standard set to be released by 2025 and it will replace NIST 800-171. Until CMMC is released, NIST 800-171 compliance will be mandatory for companies looking to work within the Department of Defense supply chain. Manufacturers alike can use this national agenda as best practice for their organization to accelerate compliance and as a roadmap to a better security posture.
Demands from DOD & NIST 800-171
The Department of Defense demands that companies looking to work within its supply chain have a strong Cyber Security/ Physical Security Posture. To achieve this objective, the DOD and Defense Industrial Base (DIB) demand that companies working within their supply chain work towards NIST 800-171 compliance. However, by 2025 NIST 800-171 will be replaced with the Cyber Security Maturity Model (CMMC). Fortunately, companies that meet all 110 controls for NIST 800-171 will be CMMC level 3 prepared.
This blog aims to break down confusion and provide key terminology to help push your manufacturing group through any confusion. This article will explain a great deal about DFARS NIST SP 800-171. It is the compliance standard for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” But, what is it really?
What is DFARS and How it Relates to NIST 800-171?
The DFARS (Defense Federal Acquisition Regulation Supplement) requires defense contractors to comply with specific cybersecurity requirements detailed in NIST 800-171. These standards specify the proper manner in which covered defense information (CDI) or controlled unclassified information (CUI) must be handled and protected.
What is CMMC?
Cyber Security Maturity Model (CMMC). CMMC is anticipated to replace NIST 800-171 by 2025. CMMC consists of 5 levels. The level of CMMC compliance your company will need to meet will be determined by which DOD contracts your company is looking to secure.
When your organization becomes 100% NIST 800-171 compliant, it is also then CMMC level 3 prepared. CMMC level 3 consists of all 110 NIST 800-171 controls plus an additional 20 controls unique to CMMC level 3. If you are looking to get ahead of the curve and your competition when CMMC is released so that you can continue to secure DOD contracts, the best step you can take now is to be 100% NIST 800-171 compliant.
As a Small Manufacturer, does NIST 800-171 apply?
DFARS applies to all prime and subcontractors (no matter the size) doing business with the Department of Defense. If you don’t handle CDI/CUI, you must still get an exception and may still need to comply with DFARS and NIST 800-171. Compliance with NIST 800-171 is mandatory for anyone working within the DOD/DIB supply chain.
What’s the Big Deal?
Failure to comply with NIST 800-171 may subject contractors to penalties either by the United States Government (e.g., criminal, civil, administrative, and contractual actions in law) or by people or private organizations impacted by related failures (e.g., actions for damages). In a nutshell, your manufacturing organization will be at risk of losing DOD contracts without meeting compliance.
NIST 800-171 contains 110 separate controls between 14 categories, all of which require compliance.
The 14 categories are:
Audit and Accountability
Awareness and Training
Identification and Authentication
System and Communications Protection
System and Information Integrity
All of the categories address some form of information control, so the standards set out in each group relate to how the administration of that control within that category will assure the privacy and security of that data. The standards of NIST 800-171 give every entity the guidance needed to safely manage its data (from whatever source) from entry, through use and storage, to deletion.
How Does My Company Begin the NIST 800-171 Compliance Process?
First Step: Gap Analysis. To continue to do business with the DOD, your company will need to have completed a “Gap Analysis” to determine which controls you comply with today.
Second Step: SSP & POA&M. Once a “Gap Analysis” is completed, your company will need to create a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M)
Your company’s SSP is a document that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Your SSP demonstrates which of the 110 controls your company is in compliance with, and which controls your company is not in compliance with. Additionally, it documents the evidence proving that your company complies with those controls. According to the 2020 Interim Rule, the SSP is mandatory to achieve any compliance with NIST 800-171. Your POA&M documents which of the 110 Controls your company is not in compliance with, and it gives a roadmap on how these areas of non-compliance will be addressed. This includes the timeline for when your company plans on having these areas of non-compliance addressed and by who. These documents will need to be continually updated in order to maintain compliance.
Once your company has completed its “Gap Analysis” and has created its documentation (SSP, POA&M), your company will need to generate a “Supplier Performance Risk System” score (SPRS score). This score is generated based on which of the 110 guidelines your company complies with. It can range from a +110 to a -203. In short, it grades your “Gap Assessment'' results. This score is then uploaded to the PIEE website. To secure contracts within the DOD supply chain, this score must be generated and uploaded.
In order to receive a perfect SPRS score of +110. Your company will need to be compliant with all 110 controls. A perfect SPRS score is not mandatory in order to be NIST 800-171 compliant. However, your documentation SSP, POA&M is mandatory. Your SPRS score reflects your physical and cybersecurity posture, meaning a poor score may limit your ability to secure specific DOD contracts that require a higher score.
The “Gap Analysis'' and the resulting documentation created by the results of this analysis (SSP POA&M) will be necessary for CMMC. Having this documentation in place, and being 100% NIST 800-171 compliant, will leave your company in an excellent position for being CMMC level 3 prepared when CMMC is fully released.
Contact Black Bottle IT to learn how you can get started today.