Learn the Truth About NIST Compliance in the Next 90 Seconds

Corserva blog

Are you aware of the mandatory cybersecurity DFARS compliance deadline of December 31, 2017? (See Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”)

As of December 31, 2017, all DoD contractors (including small businesses) must meet minimum cybersecurity requirements or risk losing DoD business. Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant.

In addition, a new cybersecurity standard was published in 2020, Cybersecurity Maturity Model Certification (CMMC). Depending on the federal contract under which you are working, you may need to meet NIST 800‑171 or CMMC.

NIST Special Publication 800-171

NIST Special Publication 800-171 covers the protection of “Controlled Unclassified Information” (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.")

NIST 800‑171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information.

Learn more about NIST SP 800-171 by downloading the white paper, "What You Should Know About NIST 800-171 & CMMC."

 

Who Needs to Comply

With cybersecurity a focal point for the DoD and all major industries, safeguarding manufacturing supply chains is becoming more important than ever.

Does your company conduct business directly, or indirectly as a tiered supplier, with the US federal government or DoD? 

Due to increased concerns about cyberattacks, any manufacturer, either an OEM or tiered supplier, contractually doing business with the DoD, General Services Administration (GSA), or NASA must be compliant with defined cybersecurity requirements as of December 31, 2017.

Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant. 

Companies that are currently working on a contract for the DoD, regardless of tier, need to be aware of the NIST compliance called out in the clauses of your contract. 

If you're a manufacturer, you need to make sure you are compliant with your federal government contract.

Read the guide to learn more about NIST 800-171 & CMMC.

 

NIST and CMMC

 

NIST Standards

The standards are outlined in a publication from the National Institute of Standards and Technology (NIST). (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.") The standards fall into 14 areas with specific security requirements that must be implemented.

The categories include:

  1. Access control
  2. Awareness & training
  3. Audit & accountability
  4. Configuration management
  5. Identification & authentication
  6. Incident response
  7. Maintenance
  8. Media protection
  9. Personnel security
  10. Physical protection
  11. Risk assessment
  12. Security assessment
  13. System & communications protection
  14. System & information integrity

 

Ramifications for Non-compliance

What does this mean for you as a DoD contractor?

If a contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.

Don't risk loss of business. There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think. Learn more in "3 Myths About NIST 800-171 and NIST Compliance."

Manufacturers need to prepare for the NIST 800-171 mandate, and you may be wondering exactly what you need to do to meet federal government cybersecurity requirements.

 

How to Achieve Compliance

To increase the cybersecurity posture of companies operating in government supply chains, a new certification has been created, Cybersecurity Maturity Model Certification (CMMC).

The Department of Defense is transitioning from NIST 800-171 to the CMMC framework to increase the security posture of the Defense Industrial Base (DIB).

The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization who will perform a CMMC assessment.

>> Request Information About NIST Assessments & CMMC Readiness <<

 

Recap


Purpose:

  • Protecting unclassified information that still needs safeguarding

Who:

  • All manufacturers contractually doing business with the US government as a prime contractor or as a sub for a prime contractor

Risk:

  • Loss of business for non-compliance, removal from approved DoD vendor list

Reference:

Learn more:

 

RPOAbout Corserva

Corserva has been performing NIST assessments for companies who need to comply with NIST 800-171 since 2015.

Corserva can advise companies in their preparation for a CMMC assessment by a C3PAO, which is the only entity authorized to perform assessments.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC Accreditation Body (CMMC-AB) to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).

Learn more about our NIST assessments and CMMC readiness services.

Post Date: September 27, 2017 // 1:24 PM

Topic category:

NIST & CMMC

Author:

Sean McCloat, CISSP

Sean is responsible for Corserva’s network and security operations centers, field services, sales engineering, data center operations, and professional services. He has an intense focus on delivering exceptional customer service across a wide array of client engagements. With 25+ years of national and global experience in the IT industry, Sean has real world experience at the corporate and enterprise levels of healthcare, advertising, and logistics organizations.

Share: