Are you aware of the mandatory cybersecurity DFARS compliance deadline of December 31, 2017? (See Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”)
Cybersecurity guidelines required by the Department of Defense (DoD) are likely to have an enormous impact on the nation's approved manufacturers that received DoD contracts in 2016. As of December 31, 2017, all DoD contractors (including small businesses) must meet minimum cybersecurity requirements or risk losing DoD business. Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant.
NIST Special Publication 800-171
NIST Special Publication 800-171 covers the protection of “Controlled Unclassified Information” (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.")
NIST 800‑171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information.
Learn more about NIST SP 800-171 by downloading the white paper, "What Manufacturers Should Know About NIST 800-171."
Who Needs to Comply
With cybersecurity a focal point for the DoD and all major industries, safeguarding manufacturing supply chains is becoming more important than ever.
Does your company conduct business directly, or indirectly as a tiered supplier, with the US federal government or DoD?
Due to increased concerns about cyberattacks, any manufacturer, either an OEM or tiered supplier, contractually doing business with the DoD, General Services Administration (GSA), or NASA must be compliant with defined cybersecurity requirements as of December 31, 2017.
Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant.
Companies that are currently working on a contract for the DoD, regardless of tier, need to be aware of the NIST compliance called out in the clauses of your contract.
If you're a manufacturer, you need to make sure you are compliant with your federal government contract.
The standards are outlined in a publication from the National Institute of Standards and Technology (NIST). (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.") The standards fall into 14 areas with specific security requirements that must be implemented.
- Access control
- Awareness & training
- Audit & accountability
- Configuration management
- Identification & authentication
- Incident response
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System & communications protection
- System & information integrity
You can learn more about these categories by downloading Corserva's recent webinar presentation, "How to Comply with NIST 800-171."
Ramifications for Non-compliance
What does this mean for you as a DoD contractor?
If a contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.
Don't risk loss of business. There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think. Learn more in "3 Myths About NIST 800-171 and NIST Compliance."
Manufacturers need to prepare for the NIST 800-171 mandate, and you may be wondering exactly what you need to do to meet federal government cybersecurity requirements.
How to Achieve NIST Compliance
UPDATE AS OF FEBRUARY 2020: To increase the cybersecurity posture of companies operating in government supply chains, a new certification has been created, Cybersecurity Maturity Model Certification (CMMC).
The Department of Defense is planning to migrate to the new CMMC framework to enhance the cybersecurity posture of companies participating in government supply chains.
The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment.
Learn more in "Leveraging NIST Assessments to Become NIST Compliant."
- December 31, 2017
- Protecting unclassified information that still needs safeguarding
- All manufacturers contractually doing business with the US government as a prime contractor or as a sub for a prime contractor
- Loss of business for non-compliance, removal from approved DoD vendor list
- Learning guide, "The Definitive Guide to NIST Compliance"
- White paper, "What Manufacturers Should Know About NIST 800-171"
- Infographic, "About NIST Compliance"
- Presentation, "How to Comply with NIST 800-171"
- Blog post, "Cybersecurity Maturity Model Certification & NIST Compliance"
- Blog post, "3 Myths About NIST 800-171 and NIST Compliance"
- Blog post, "Leveraging NIST Assessments to Become NIST Compliant"
- Solution Brief "NIST Assessments"
Corserva has been in business for over 30 years and offers a large portfolio of IT and consulting services. Our team has a very strong focus on IT security assessments, including assessments for NIST 800-171 and NIST 800-53.