Understanding NIST SP 800-171
If you are a defense contractor, you have heard of NIST 800–171, and have likely been stressed out at some point trying to figure out the best way to comply with the set standards. If you do business with the Department of Defense, you have already been required to certify that you are compliant with their standards. If you do business with the rest of the federal government or want to at all in the future, it is vital to know more about these standards and how to ensure compliance.
Why NIST 800–171 Matters The DOD makes these standards a requirement. When you submit an offer to the DOD for its acceptance, you have certified that you are complying with the standards. By early 2019, these standards will not just be incorporated into DOD contracts but will apply across the entire federal government too. And they do not just apply to prime contractors, but to be “flowed down” to the subcontractors as well. In other words, if you have any subcontract in place, DFARS requires that compliance with these standards must be a part of the subcontract as well. If you do business with the federal government, you must take the steps required by these standards. What NIST 800–171 Does The government recognized in the cybersecurity environment that sensitive information was at risk and therefore imposed uniform standards for contractors to apply if they came into possession of any of this information. The standards are an entire set of operating principles and procedures that contractors must have. If you have certain sensitive information on your servers, even if it is not classified, the standards generally state certain security requirements for you to follow in order to protect this information. They will generally aim to get contractors to apply the same measures that the government would if this information was housed on a federal server.
What if Contractors Do Not Comply? Failure to comply would have numerous impacts on your business. Right now, contractors are required to self-certify that they have complied with these standards in order to be eligible to receive a contract. From the government’s standpoint, it makes sense to ensure that contractors that may have sensitive information on their servers can actually protect that information. When you certify that you have complied and do not actually comply, you can get in some serious trouble. You can lose your contracts with the government through termination. The government can suspend or debar you, which will prevent you from getting future contracts. You can also be subject to lawsuits under the False Claims Act since certification would have been part of your proposal to win the contract.
If the DOD Inspector General shows up on your doorstep to audit your business, it is a serious matter. The DOD intends to audit contractors to make sure they are complying with these standards. Eventually, the responsibility to ensure that contractors are complying with these standards will rest with one governmental entity, which will likely lead to increased audits.
The Importance Given the media attention and the negative effects of the many data breaches this past decade, there is likely to be significant attention paid to these standards. Government budgets for cybersecurity have expanded, so it is logical for the federal government to be vigilant and stringent when sensitive information is housed on its contractors’ servers.
If you’re not compliant, try our platform for free to get started.