Now that the deadline to comply with the NIST 800-171 mandate has passed (as of December 31, 2017), hopefully you are sitting back, comfortable in the knowledge that you have taken the necessary steps to ensure your company is meeting the cybersecurity guidelines required by the Department of Defense (DoD), providing you a competitive advantage over other manufacturers.
If not, you may be starting to wonder...now what? What's going to happen? Am I too late?
Is it too late?
There are ramifications for non-compliance, but no, it's not too late to start down the path to becoming NIST compliant. In fact, you can realize advantages to becoming compliant with the NIST 800-171 mandate whenever you achieve compliance.
The NIST 800-171 Mandate
If you are a defense or government supplier – or if you are a subcontractor selling to a government supplier – you need to take steps to assess and comply with the NIST 800-171 mandate.
NIST is the National Institute of Standards and Technology. NIST Special Publication 800-171 covers the protection of "Controlled Unclassified Information" defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. The NIST 800-171 mandate provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information.
Learn more about the process for complying with the NIST mandate by reading "The Definitive Guide to Compliance with the NIST 800-171 Mandate."
Who needs to comply?
You might be wondering, does NIST compliance really apply to my organization? Especially if you never received any formal notification (of that you are aware) from your prime contractor requiring you to do so. Ask yourself, does your company conduct business directly, or indirectly as a tiered supplier, with the US federal government or DoD?
Some organizations will receive direct notification about their need to comply. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171. Notification can come directly via mail or email. Alternately, you might be notified when logging into a portal that you use for procurement or order management.
Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171.
It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many manufacturers who never received formal notification to comply.
Ramifications for Non-Compliance
As described in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” all DoD contractors (including small businesses) must meet the mandatory cybersecurity DFARS compliance as of December 31, 2017.
If a contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.
Don't risk loss of business. Getting started now will go a long way towards meeting compliance.
Areas of NIST
NIST 800-171 is broken out into 14 different families. For convenience, these families can be summarized into four main areas:
- Monitoring & management
- End user practices
- Security measures
Entities that deal with government CUI should be compliant with NIST 800-171 as of December 31, 2017. Typical entities affected include universities, research institutions, consulting companies, service providers, and manufacturers.
Manufacturing companies that are prime contractors, or sub for prime contractors, that have CUI within their systems and applications will be impacted by this mandate. But there is a lot of inaccurate information floating around about NIST.
"Becoming NIST compliant will cost us tens of thousands of dollars."
No – don’t get ripped off. Affordable plans for becoming NIST compliant are available. Don’t assume you need the services of a very large consulting company, where you might pay tens of thousands of dollars, to become NIST compliant. Also, be wary of unscrupulous vendors who may use scare tactics in an effort to make you sign up with them without properly researching reputable vendors first.
There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think.
"NIST compliance is only necessary for large manufacturers – we're too small."
"We don't work with the government, so we don't need to comply with NIST."
Not true. If you are in the federal supply chain, there is a high probability that you need to be compliant with the NIST 800-171 mandate. As stated above, NIST not only applies to manufacturers directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?
"Becoming NIST compliant would take a long time. It's too late for us."
Not true. It’s faster and easier than you think. For most manufacturers, you can make significant progress down the path to NIST compliance within 30 days.
Many companies already have some of the technology in place required for NIST compliance, which can make the assessment less lengthy. In those cases, the assessment will focus on what process changes are needed to meet NIST compliance.
Complying with NIST 800-171
UPDATE AS OF NOVEMBER 2019: To increase the cybersecurity posture of companies operating in government supply chains, a new certification has been created, Cybersecurity Maturity Model Certification (CMMC).
The Department of Defense is planning to migrate to the new CMMC framework to enhance the cybersecurity posture of companies participating in government supply chains.
The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment.
Learn more in "Leveraging NIST Assessments to Become NIST Compliant."
After your NIST assessment, you will have a specific roadmap to follow on the path to achieve compliance. Then, you should plan for ongoing validation on a regular basis to ensure you stay in compliance with NIST 800-171.
The good news for manufacturers who embark on the effort to meet the NIST 800-171 mandate is that it provides a competitive advantage over manufacturers that have not.
Also, a side benefit of becoming compliant with NIST 800-171 is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet the NIST 800-171 mandate, you can contact your customers to let them know, and ask them if they know if all of their suppliers are compliant.
By complying with NIST 800‑171, you will also meet the majority of the criteria for NIST 800-53.
Corserva has been in business for over 30 years and offers a large portfolio of IT and consulting services. Our team has a very strong focus on IT security assessments, including assessments for NIST 800-171 and NIST 800-53.
To learn more, request a quote for a NIST assessment.