For many years, the DFARS cyber clause 252.204-7012 and NIST 800-171 have been in existence to safeguard sensitive data on nonfederal computer systems. However, the U.S. Department of Defense’s (DOD) mandatory cybersecurity regulations have not always been consistently enforced.


In order to verify NIST 800-171 compliance, the DOD now mandates a Defense Contract Management Agency (DCMA) audit of ALL contractors. This compliance also applies to their first-tier subcontractors, vendors, and suppliers. Additionally, the Defense Security Service (DSS) is now mandated to supervise and guarantee the safety of Controlled Unclassified Information (CUI) by contractors, subcontractors, and vendors/suppliers.


This means that through Supplier Performance Risk System (SPRS) submission, the whole DOD supply chain will have to demonstrate, record, and prove compliance with NIST 800-171. There is no longer a choice to put off compliance if you want to work with the DOD. 


Here are the 5 steps to stay competitive in the DoD acquisition process and comply with NIST 800-171:


STEP 1. Assess current operations for compliance with NIST 800-171.


Requirement 3.12.1 of NIST 800-171 mandates that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”


The 110 security standards in NIST 800-171 are divided into 14 control “families.” All 110 requirements should be covered by your evaluation. It may be internally directed or carried out by a different party. All contractors must at the very least perform and score a “Basic Assessment” in accordance with the NIST SP 800-171 DOD Assessment Methodology, and then submit the findings via the SPRS.


STEP 2. Generate a System Security Plan (SSP).


Requirement 3.12.4 (SSP, added by NIST 800-171, Revision 1) states that all contractors must develop, document and periodically update an SSP that describes system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems.


In a DCMA audit, your SSP is most likely the first thing that will be requested of you. It must accurately reflect how you have actually implemented the required controls. Writing an SSP without fully describing the reality of your controls implementation is a common mistake.


STEP 3. Document Plans of Action and Milestones (POAMs).


Requirement 3.12.2 (Plan of Action) mandates that all contractors develop and implement POAMs designed to outline how and when your organization plans to correct any deficiencies and reduce or eliminate vulnerabilities in your systems.


Due to the likelihood that not all 110 security standards will have been fully implemented in your environment at the time of evaluation, POAMs are crucial. All unfulfilled needs should be listed in your assessment along with a POAM for each one.


STEP 4. Implement the required controls.


To fully comply with NIST 800-171, you must implement all necessary controls after your evaluation and POAMs are finished. If you are solely employing internal resources, this will probably require a full-time commitment; keep in mind that your employees also have day jobs. 


Make sure the answers to the following questions are “yes” if you intend to collaborate with a third party to implement the necessary controls.


  • Have they implemented the NIST 800-171 controls for businesses similar in size and focus to yours? 
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab and engineering environments? 
  • Can they provide references for past engagements?


In engineering, lab, and production settings, implementation can be challenging. These complications should be reflected in both your strategy and the method used by your provider.


STEP 5. Maintain compliance.


Due to the ongoing evolution of cyberthreats, compliance is not merely a goal. A strategy for continuously maintaining compliance that makes use of internal or external resources must be documented and put into action. Avoid the costly error of failing to take into account the requirement to continually demonstrate compliance; this is something that is frequently forgotten. It’s crucial to automate and record your efforts in order to fulfill this vital criteria.


Be prepared to answer the following key questions: 


  • How will you detect, respond to and report incidents within the required 72-hour reporting period? 
  • What is your plan to manage subcontractors and suppliers to meet your compliance requirements? 
  • How will you update your SSPs and POAMs as your business and IT infrastructure change?


Compliance with NIST 800-171 not only safeguards critical data but also opens doors to lucrative government contracts. It demonstrates a commitment to cybersecurity, which is a top priority for the DoD. In this era of increasing cyber threats, being proactive in securing sensitive information is a wise business move.


Moreover, staying competitive in the DoD acquisition process requires continuous improvement and adaptation. Companies must stay updated with the latest regulations, technologies, and best practices to remain attractive to the DoD.


In essence, the combination of compliance with NIST 800-171 and a commitment to competitiveness in DoD acquisition creates a win-win situation. It’s a path toward not only safeguarding your business but also thriving in the ever-evolving world of defense procurement. So, keep your cybersecurity measures robust, your knowledge up-to-date, and your business agile to seize the opportunities that lie ahead. Contact us today for a seamless NIST compliance journey.