Is NIST 800-171 Subcontractor Compliance Required for DoD Contracts?
Do Subcontractors Need to Comply with NIST 800-171?
The Department of Defense has made it clear that it expects contractors to keep Controlled Unclassified Information (CUI) safe in DFARS 252.204-7012. But what about NIST 800-171 Subcontractor requirements? Do subs need to be compliant as well?
The short answer here is: yes.
If you’re a sub, you need to be compliant with 800-171 if you’re going to be dealing with CUI. Here are a few things you should take care of:
NIST 800-171 Subcontractor Considerations
Get familiar with NIST 800-171
The NIST 800-171 DFARS clause calls you out, so you should take time to familiarize yourself with the requirements and controls. Take a look at this NIST 800-171 Quick Reference to see what type of cybersecurity requirements are involved.
Discuss your compliance plans with your prime
Your prime is going to be very interested in how you handle this. The government has put the responsibility of managing subcontractor compliance on the prime, and the last thing they want is a failed contract because of subcontractor non-compliance. Start the conversation. Let them know where you stand and how you intend to get compliant. You’ll stand out among your peers.
Determine which systems may contain or transmit CUI
Determining scope is an important part of this process. The idea here is to draw a clear line between your systems that will support the contract and possibly store or transmit CUI and those that won’t. The systems in scope will need to be assessed.
Undergo a NIST 800-171 Assessment
Take the plunge and do an assessment. You’ll be setting yourself up for success on your current contract, and you’ll be more attractive as a teaming partner for future work.
Plan to correct any deficiencies
If you find any issues, don’t sweep them under the rug. Make a plan to correct each deficiency (the government calls plans like these POA&Ms – Plan of Action & Milestones). Gather your assessment results and POA&Ms and head on over to your prime. Let them know you’re committed to fixing your issues, and you’ve identified a way forward for each problem.
You’ll be able to complete your NIST 800-171 Self-Assessment at Complyup.