The DoD December 31st Compliance Deadline
It’s coming… the DoD December 31, 2017 deadline is less than a year away. While you’re busy ringing in the new year, your contracting business may instantly become disqualified from bidding on Department of Defense work. The government has given you until December 31, 2017 to prove that you have a mature cybersecurity program in place. If you don’t have your ducks in a row, your next proposal with get thrown out for being non-compliant. Simple as that. How can you avoid this?
NIST 800-171 Compliance
On December 31, 2017, all Department of Defense contractors need to be NIST 800-171 Compliant. This new policy comes from a DFARS clause (DFARS 252.204-7012) entitled “Safeguarding Covered Defense Information and Cyber Incident Reporting”.
What Is NIST 800-171?
NIST 800-171 is a publication that describes 110 security requirements for protecting “Controlled Unclassified Information”. In this regard, CUI is essentially any unclassified technical information that has anything to do with the DoD (formal definition here). The government wants to be sure you can handle their information safely while working on contracts.
NIST 800-171 Security Requirement Families
The security controls are split up into 14 families.
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Start Planning Now
The time to figure out how you’re going to comply with NIST 800-171 is now, while you’ve still got some runway. Several agencies are already including the compliance clause in their RFPs, and the rest will follow soon. You should begin by determining what systems are covered. This is going to differ from contractor to contractor, and possibly from contract to contract. Once you’ve scoped it out, you need to take a hard look at the 110 requirements. Remember, the government is used to undergoing FISMA assessments. They have a certain way of meeting the 800-53 requirements. This generally entails significant documentation with an unbelievable level of detail. It wouldn’t be surprising if they expect contractors to put in the same level of effort. Put a plan in place, and get moving on this. Nothing would be worse than putting time and money in a proposal only to find out you’re disqualified for non-compliance.