The deadline for nonfederal contractors and subcontractors to meet DFARS NIST-171 compliance to maintain government contracts is December 31, 2017. Starting January 1, 2018, organizations must demonstrate compliance to win new and/or uphold existing Department of Defense (DoD) contracts. Organizations with existing contracts who fail to be compliant by 2018 may face breach of contract litigation.
According to the Digital Journal, approximately 170,000 organizations could be affected, losing about $580 billion in DoD contracts if compliance is not met.
Are You Affected?
Compliance is mandated for any nonfederal contractors and subcontractors doing business with the DoD. Organizations that handle, transmit, or store covered defense information (CDI) are required to implement safeguarding controls consistent with government-level security.
When determining if an organization is affected, it’s important to understand the terminology that categorizes information. In DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, CDI is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI), that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies.”
CDI is segmented into five main classifications:
- Covered technical information (CTI)
- Covered Contractor Information Systems (CCIS)
- Operations security
- Export controlled information
- Controlled unclassified information (CUI)
All information defined in the CUI Registry is considered CDI. Therefore, an organization can determine if the information processed falls under regulation by referring to the CUI Registry. The CUI Registry lists all categories and subcategories as well as descriptions of the information covered.
Examples of CUI include but are not limited to:
- Research and engineering data
- Computer software executable code and source code
- Personally identifiable information (PII)
- Legal proceeding documents
Complying with DoD Contracts
With all the information, it can be difficult to know where to start. Any organization concerned about applicability should follow these five steps:
- Identify what information is covered based on the CUI Registry
- Document where the information is stored, processed, or transmitted
- Clarify the scope of compliance required
- Implement the necessary controls, policies, and procedures
- Assess and monitor
As part of contractual obligations, organizations must demonstrate compliance with NIST 800-171. To do so, nonfederal contractors and subcontractors must adhere to the requirements outlined and be tested against the NIST 800-171 guidance which can be done by an independent third-party to assess compliance.
Through the assessment process, an organization’s controls, policies, and procedures will be measured in effectiveness as compared to the federal information security requirements associated with DFARS.
A-LIGN’s Here to Help
As a full-service security, compliance, and privacy firm, A-LIGN provides organizations a variety of federal assessment services.
With experience in completing not only NIST 800-171, but also FISMA and FedRAMP Assessments, our team of knowledgeable assessors helps organizations understand the security requirements in a way that can be translated to an organization’s own operations as well as develop a holistic plan of action for protecting the confidentiality of CDI.
It’s not too late to become DFARS NIST 800-171 compliant, start today and win new DoD contracts in 2018.
If you have any questions on becoming compliant with NIST 800-171 standards, please reach out to one of A-LIGN’s experienced assessors at [email protected] or 1-888-702-5446.