NIST 800-171

The NIST states: “All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts”. The DOD CIO has mandated that all companies and their subcontractors doing business with the Department of Defense must be in compliance with DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012/NIST 800-171. Recently, as of November 30, 2020, certain U.S. Department of Defense (“DoD”) prime contractors and subcontractors will need to complete a cybersecurity self-assessment prior to receiving new DoD contracts and prior to the exercise of new options under existing DoD contracts. The Pentagon will require government contractors to submit a self-assessment of their compliance with the 110 controls in NIST Special Publication 800-171 starting Nov. 30, establishing a new cyber regime for contractors under the Defense Department that will have a wide-ranging impact on the DOD supply chain.

There are 110 controls across 14 areas of the NIST SP 800-171 that DoD Contractors must implement:

  • Access (22)| Identification & Authentication (11) | Personnel Security (2)
  • Awareness & Training (3) | Incident Response (3) | Physical Protection (6)
  • Audit & Accountability (9) | Configuration Management (9) | Risk Assessment (3)
  • Maintenance (6) | System & Communications Protection (16) | Security Assessment (4)
  • Media Protection (9) | System & Information Integrity (7)

IMPLICATIONS WITH NON-COMPLIANCE

Termination for Default

 

  • Government agency may exercise their right to terminate a contract for failure to comply with mandated cybersecurity and IT requirements

 

Breach of Contract

 

  • Non-compliance to the security requirements can be seen as a breach of the contract.

 

Liquidated Damages

 

  • Government agencies may add provisions in the form of damages when sensitive personal information is involved, ranging from $35 to $5,000 per affected file

 

False Claims Act


  • Prime and subcontractors will be held liable under the False Claims Act if they submit any false information

 

To help monitor risk, we check the following forward-looking metrics

 

  •   Time it takes to detect and mitigate cyber incidents
  •    Volume of unknown devices connected to the internal network
  •    Vendors that are non-compliant with security requirements

 

  •    Employees failing phishing tests
  •    Effectiveness of current education, training, and awareness

Questions to Ask:

1. How can government contractors accurately and cost effectively assess their cybersecurity compliance to NIST SP 800-171?

2. What actions do U.S. government contracting officers plan to take if government contractors fail to comply with the DFARS 252.204-7012 (NIST SP 800‑171 compliance requirement) after the Dec. 31, 2017, deadline?

3. How should government contractors pay for this additional cybersecurity compliance expense?

4. Do I have to purchase cybersecurity liability insurance?

5. Will prime government contractors be held contractually responsible and financially liable for cyber-related damages caused by their subcontractors and/or third-party partners’ failure to comply with NIST SP 800-171?

6. How can government contractors staff and retain high-quality cybersecurity talent to meet the increasing number of government information security compliance standards when considering the highly competitive marketplace and global shortage of cybersecurity professionals today?

Share by: