Ensure You Are Eligible to Bid for DoD Contracts With a NIST SP 800-171 DoD Assessment
The US federal government continues to increase focus on cybersecurity and has established requirements for companies which must be met to be eligible to bid for and work under DoD contracts. Understanding these requirements and how they apply to your company can be a challenge. Ecuron brings years of experience and expertise to assist clients to achieve, maintain, and demonstrate compliance in a fast and efficient manner. This article outlines the requirements and how Ecuron can help.
Organizations that provide services or products to the any department of the US federal government have to comply with regulations that define cybersecurity requirements under their contract obligations. This is especially true for those companies that belong to the Department of Defense (DoD) supply chain and Defense Industrial Base (DIB). There are two main categories of regulations:
- Federal Acquisition Regulation (FAR): This applies to any federal contract for any department.
- Defense Federal Acquisition Regulation Supplement (DFARS): This includes additional requirements for DoD contractors specifically. NIST SP 800-171 compliance is at the heart of these rules. Currently, compliance is proven by performing a NIST SP 800-171 Assessment – also called NIST SP800-171 Basic (or Self-) Assessment. The upcoming Cybersecurity Maturity Model Certification (CMMC) will not replace but rather augment these existing requirements.
NIST SP 800-171 is a compliance framework that outlines security controls companies should implement to protect information and their information systems. It covers 110 controls across 14 domains, ranging from physical protections to access control and incident Response. NIST SP 800-171 compliance is mandated by two of DFARS clauses for DoD contractors that handle Controlled Unclassified Information (CUI):
- DFARS 252.204-7012
This clause covers protecting Federal Contract Information (FCI) as well as Controlled Unclassified Information (CUI). The core of this clause is the requirement of all controls included in the NIST SP 800-171 standard and has been in effect since the beginning of 2018. This means that for more than four years all DoD contractors handling CUI must be compliant with the NIST SP 800-171 control requirements.
- DFARS 252.204-7019
The focus of this clause is on monitoring and increased accountability of the NIST SP 800-171 requirements mandated by the previous clause. Effective November 30th 2020 all contractors in the Defense Industrial Base (DIB) handling CUI must have completed a NIST SP 800-171 Basic Assessment and submitted their score to the Supplier Performance Risk System (SPRS). This score may not be more than 3 years old. A score obtained from a medium or high assessment performed by the DoD itself may also be submitted if it is not more than 3 years old.
In addition, a System Security Plan (SSP) and Plan of Action and Milestones (PoA&M) document outlining the remediation plan including a timeline must exist.
How we can help with the NIST SP 800-171 DoD Assessment:
We provide NIST assessment services and implementation support services tailored to your specific NIST SP 800-171 needs. Clients find our assistance invaluable in navigating the compliance process for the FAR, DFARS, and upcoming CMMC cybersecurity contract obligations. Ecuron’s NIST SP 800-171 Assessment & Consulting services reduce the time and resources needed for you to comply with DFARS and NIST SP 800-171. With our help you can be confident of a successful outcome reducing the chances for lost time, unnecessary effort and expenditure. Our NIST related services include:
NIST SP 800-171 DoD Assessment package:
- Gap Analysis or NIST 800-171 Compliance Gap Assessment:
Our Gap Analysis is an on-site assessment of all 110 security controls at the location in scope. This NIST assessment is designed to reveal inadequate system setup, gaps in your network, physical security, and processes that may not meet NIST 800-171 standards. This gap analysis and the resulting detailed report will provide the basis for performing your own remediation plan, or allow you to take the findings to a cybersecurity service provider, such as Ecuron, to do the remediation for you. At the end of the on-site visit we will provide you the score result of the NIST 800-171 DoD Assessment and you can submit it to the SPRS.
- Development of a System Security Plan (SSP):
The SSP is a key document that includes all the hardware, software, functions, and features of your IT environment. In addition, it includes information about how you plan to respond to security incidents that occur on the network.
- Development Plan of Action and Milestones (POA&M) document:
The PoA&M is a document which outlines the action items needed to remediate any gaps and reach compliance and the timeline to get to there.
Both documents, the System Security Plan (SSP) and Plan of Action of Milestones (POA&M) will allow you to prove that you’re working towards NIST SP 800-171 compliance. They are required by the DoD DFARS 252.204-7019 clause.
NIST SP 800-171 Compliance Consulting
We would love to help as you work towards NIST SP 800-171 compliance whether you are considering the first step or are already on the road. To discuss your NIST/CMMC requirements and schedule a complimentary 30 min consultation, email us at email@example.com , use the form bellow, or give us a call: +1-713-646-5044.
last changes: 8/23/2022