COMPLIANCE

NIST 800-171 Compliance

The Department of Defense has given qualified contractors until the end of the year to comply with the NIST 800-171 requirements.

Schedule your assessment
NIST Overview

On January 21, 2019, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) issued a second memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system. Much like the DoD IG audits that many contractors have been subject to in the past few months, the intent of this guidance is to have DCMA “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”

(DFARS 252.204-7012 requires contractors to “implement” NIST SP 800-171.) Neither the November 6th guidance nor the January 21 Lord memorandum define “Tier 1 Level Supplier,” but from the context of the December 17 Fahey memorandum it appears that DoD intends it to be interpreted broadly to include first-tier subcontractors, vendors and other suppliers.

nist compliance

Resource Center

Are you compliant?

consult the nist checklist

Understand NIST 800-171

NIST 800-171 Overview

Schedule a call with us

let's get you compliant

If you are a sub-contractor, vendor, or supplier to a Tier 1 Level Supplier for the government, you must implement all of the security requirements and controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations—by mile marker 12-31-17. If you don’t, you risk losing your contracts, costing your organization millions of dollars in lost revenue:

“…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…”

- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

Let’s discuss your NIST compliance needs.

If you are a sub-contractor, vendor, and supplier to a Tier 1 Level Supplier, you are mandated to comply with DFARS Clause 252.204-7012 and NIST 800-171.

This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.

Mandate Language

January 21, 2019

The Undersecretary of Defense

Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a means to safeguard the Department of Defense's (DoD's) controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor's internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD's CUI.

To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171 , I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DF ARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor's purchasing system in accordance with DFARS Clause 252.244-7001 , Contractor Purchasing System Administration, in order to:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.