DoD Cybersecurity, DFARS, and
NIST SP 800-171 Compliance
NIST SP 800-171 Compliance
DoD cybersecurity compliance, DFARS compliance, and NIST SP 800-171 compliance have become large scale concerns for all Department of Defense (DoD) contractors since they were made effective in December 2017. DoD issued this mandate in order to address new challenges to cybersecurity and the risk that sensitive DoD data may be exposed to in the event of a data breach.
That means that all DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must comply with the minimum security standards outlined in the Defense Federal Acquisition Regulation Supplement (DFARS).
All DoD contractors must now meet a set of DoD cybersecurity requirements, including:
- Ensuring that all unclassified DoD data stored on a contractor’s internal servers are protected with appropriate cybersecurity safeguards.
- Assessing and minimizing the consequences of a data breach with an incident reporting and damage assessment mechanism.
Put simply, these are the main areas of focus that DoD contractors of any size or scope must be aware of in order to maintain contracts with the DoD.
These requirements come out of the National Institute of Standards and Technology (NIST). In 2015, NIST released Special Publication 800-171 “Protecting Unclassified Information in Non-federal Information Systems and Organizations” (NIST SP 800-171). In this publication, NIST outlines cybersecurity standards meant to protect the confidentiality and integrity of government data shared with non-federal entities. The DoD adopted the standards outlined in NIST SP 800-171, meaning that all DoD contractors now must be compliant with these cybersecurity guidelines.
What are DoD Cybersecurity NIST SP 800-171 Compliance Requirements?
There are two cybersecurity standards that must be addressed by all DoD contractors to achieve DFARS compliance. These guidelines are meant to protect the confidentiality of CUI. They include:
- Providing adequate security safeguards to protect CUI kept on internal data systems/servers.
- Rapidly reporting all cyber data breaches/incidents and cooperating with DoD to respond and track, including providing access to affected media and malware.
DFARS identifies security safeguards and requirements that impact many aspects of CUI data security. By following the guidelines outlined in NIST SP 800-171, DoD contractors may address their DFARS compliance. A summary of NIST SP 800-171 guidelines that contractors will be expected to address include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Creating an Effective Compliance Program
The important thing to remember about any effective compliance program is that compliance is not a check-the-box exercise. When it comes to addressing regulatory compliance standards, your business needs to implement a solution that allows you to continually reassess, monitor, and track your compliance.
The DoD has begun auditing contractors for DFARS compliance based on NIST SP 800-171 cybersecurity safeguards.
Contractors who are audited by the DoD who are not compliant with DFARS and NIST SP 800-171 will likely be issued a stop-work order, meaning that they will need to cease working on contracts and handling CUI until proper compliance measure are put in place. The DoD may also impose fines or financial penalties, which include damages for breaches of contracts and false claims.
If the non-compliance is severe enough, the DoD can terminate contracts and even bar the DoD contractor in question from working with the DoD on future projects.
In order to prevent these strict penalties for non-compliance, DoD contractors must implement an effective compliance program that addresses the full extent of DFARS and NIST SP 800-171 guidance.
