NIST SP 800-171 Compliance for Government Contractors

The initial deadline for government contractors to be compliant with NIST SP 800-117 was December 31, 2017, but that passed and there was much discussion in the community whether this would be a focus for contracting officers. Recent events have brought this to the fore and it is clearly a high priority now in the DoD community. This blog post helps explain how the standard applies to your company.

Every day, the news is filled with stories about cyber-attacks or breaches. What if one happened to your company, would you be ready? How do you get started?

One of the best ways to protect your company is to begin to define security processes, procedures, and controls, and the time to start is now.

Being prepared to handle cyber-attacks will ensure that your business operations and valuable data are protected. As a government contractor, you have the added responsibility of safeguarding our nation’s valuable data assets. To guarantee that risks are mitigated, cyber risks standards are now being applied to contracts that are issued by the DoD. 

The standards are outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). The DoD requires contractors to demonstrate cybersecurity adherence for protection of Covered Defense Information (CDI) and Controlled Unclassified Information (CUI), or Unclassified Controlled Technical Information (UCTI). If there are any doubts about the nature of your data, make sure to discuss with your Contracting Officer (CO).

nist blog 1.jpg
Exhibit 1 - Types of Information

 

Expect to see the following DFARS references in your contract. You will be expected to demonstrate compliance to these standards.

nist blog 2.jpg
Exhibit 2 - DFARS Clauses - Cybersecurity

 

The three DFARS clauses above mandate that defense contractors adhere to the security requirements, demonstrating cybersecurity protections are adequate to protect information from attack. The security requirements are specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. There are 110 controls around non-classified controlled information. This sounds like a lot but keep in mind the type of information that is being protected. In many cases, these controls represent best practices that you may already have adopted.

NIST Compliance Control Families
Exhibit 3 - 14 Control Families

 

Defense contractors must also have in place a mechanism and communication plan if they identify an incident or breach. The notification must happen with 72 hours of the breach. Incident reporting is done via the DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting & Cyber Threat Information Sharing Portal. Be prepared to address the necessary information on the form and provide supporting documents and evidence relating to the breach. 

What Do You Have to Do to Reach NIST Compliance?

Contractors initially faced a deadline of December 31, 2017 to attain compliance with all the security requirements in NIST SP 800-171. Contractors that don’t have all the NIST controls implemented must submit a written explanation of how 1) the required security control(s) is not applicable, or 2) an alternative control or protective measure that is used to achieve equivalent protection. All controls must be addressed, either through implementation, remediation, and/or documented explanation of non-applicability.

Getting prepared for this requirement is important for your company. You may consider hiring a consulting service to assist you on this journey. It is critical for the overall success of keeping and winning new government contracts.

 

Your Unanet Project Management and Accounting System

The Unanet hosted environment on the AWS cloud will provide the basis for your compliance. We have been diligent regarding compliance requirements as we approach the December deadline.

Unanet undertakes, and passes an annual SOC 2 audit. Our cloud provider is mapping the requirements for NIST SP 800-171 (and NIST SP 800--53 compliance, in the case of CDI stored in cloud systems). 

This section discusses NIST requirements which relate to:

  1. Multi-Factor Authentication
  2. Identification & Authentication Controls
  3. Cyber Incident Reporting
  4. Data Encryption

 

  1. Multi-Factor Authentication

To deliver robust support for individual customer’s requirements for multi-factor authenticated access both to Unanet and other information systems which contain CUI, Unanet integrates with leading providers of Identity and Access Management (IAM) tools such as OneLogin, Duo and Okta, and other providers via SAML.

 

  1. Identification & Authentication Controls

IAM vendors, such as those identified above, include robust capabilities related to logon management, and password complexity and reuse that satisfy the relevant NIST Controls.

 

  1. Prompt Cyber Incident Reporting

Customers using Unanet’s cloud offering will be notified of any unauthorized intrusion.

 

  1. Data Encryption

The requirements for data encryption are met through use of SSL, and the availability of the Unanet cloud platform in a FedRAMP Moderate environment that uses data encryption at rest. Contact your Customer Success Manager for more information.
 

US-Based Support

You should also be aware that all Unanet software is developed, hosted and supported in the United States, and exclusively by US citizens.

This is not a requirement of the NIST standard. It does, however, provide an important additional measure of assurance to government contractors. This is especially important in comparison to other industry ERP software developed and supported in countries known to conduct state-sponsored hacking of US organizations. To learn more, check out our on-demand webinars.

Kim Koster

Kim Koster

Kim is an experienced executive who brings over 30 years of experience in project management, project accounting, EVMS,  government contract and accounting compliance, and communications.

"With Unanet we reduced invoice processing time by 65%. All invoices are now delivered with 48 hours of period end." - Keith Mortier CEO, LunarLine
"Our experience with Unanet has been such a vast improvement over our old combination of Deltek T&E and Spreadsheets. "- Brandon Labonte President & CEO, Ardentmc
"We initially used to use Unanet for our timesheets. Now we use it to rework our business. It's amazing. It saves us millions. It improves process and has changed the way we manage our business." Finance Manager, CB Richard Ellis
"We selected the Unanet PSA product suite because it works, is simple to administer, and has rich functionality."- Brian MacDonald Director of Information Systems L-3 Communications Corporation
"The Unanet support team provides the best support I have ever encountered.  Great job and thank you!"- Nick Wagner Director of Quality Management, The ESCO Group