13, December 2019
What Is the NIST SP 800-171 and Who Needs to Follow It?
This article originally appeared on IndustryWeek. Guest blog post by Traci Spencer, Grant Program Manager for TechSolve, Inc., the southwest regional partner of the Ohio MEP, part of the MEP National NetworkTM.
By: Traci Spencer
Manufacturers involved in supply chains tied to government contracts can anticipate those awards bringing in additional revenue at levels that might not be possible otherwise. However, being successful in getting and keeping such work means complying with the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS).
FAR is a set of regulations that governs all acquisitions and contracting procedures associated with the U.S. government. DFARS accompanies FAR as an addition. The Department of Defense (DoD) is the administrative body behind DFARS, but the reach of DFARS requirements extends to more than that organization.
NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.
How Do You Implement NIST SP 800-171?
It's understandable for manufacturers to wonder what they should do to implement NIST SP 800-171 and ultimately get in compliance with DFARS, and whether there are specialized resources available to help them achieve that milestone without preventable pitfalls. The first thing they should keep in mind is that being DFARS compliant likely involves working with a cybersecurity consultant that knows the NIST SP 800-171 requirements inside and out.
It's advisable for small manufacturers to look to their state’s Manufacturing Extension Partnership (MEP) Center. Part of the MEP National Network™, a larger organization that connects them to NIST, the representatives at your local MEP Center will have a working knowledge of NIST SP 800-171 and can help companies prepare for DFARS compliance. It can be a short or long process, depending upon the complexities of a company’s operating environment and information systems, but implementing NIST SP 800-171 is a necessary process for a company to protect its information.
What Does a Successful Plan Entail?
Manufacturers that want to retain their DoD, GSA, NASA and other federal and state agency contracts need to have a plan that meets the requirements of NIST SP 800-171. DFARS cybersecurity clause 252,204-7012 went into effect on Dec. 31, 2017, and deals with processing, storing or transmitting CUI that exists on non-federal systems — such as those used by a government contractor.
One of the first steps manufacturers should take is to identify where gaps exist that prevent them from being compliant with DFARS. From that point, they can determine how to proceed.
How Should Manufacturers Start Working Toward Compliance?
The MEP National Network offers dedicated resources for manufacturers that need information about a company’s cybersecurity posture that can help companies understand what getting compliant with DFARS actually means to them. Companies can see whether DFARS compliance applies to them and view infographics that recommend steps to take to make their factory floors more secure.
The MEP National Network also provides a particular resource that manufacturers will undoubtedly refer to again and again: the NIST Self-Assessment Handbook (NIST Handbook 162). It spans more than 150 pages and helps readers assess their facilities to conclude how close they are to implementing NIST SP 800-171 to help them understand how close they are to being DFARS compliant. It also helps determine where to focus efforts when making improvements to maximize the impact of each dollar spent on cybersecurity.
For example, the document features content that advises how to go about carrying out an assessment and which applicable employees to talk to regarding security requirements. Manufacturers that read through the handbook will note that each assessment question has an "alternative approach" option. It refers to the fact that manufacturers may find some requirements in NIST SP 800-171 that don't apply to them.
In that case, it's acceptable to use a different but equally effective method of maintaining security — as long as the respective manufacturers notify the correct government authorities about the changes and get approval for them.
Manufacturing plant representatives can also increase their understanding of compliance requirements by watching a webinar that goes through some of the crucial elements of the handbook.
Complexity Shouldn’t Be a Barrier
Manufacturers may initially view the cybersecurity requirements for government contracts as too complicated, especially if they have small operations.
However, using the available resources — including local MEP Centers — allows manufacturers to realize it's possible to get in compliance with DFARS, as well as stay in compliance, by implementing the NIST SP 800-171 requirements and to open possibilities for receiving financially rewarding and reputation-boosting government contracts.
A local MEP Center is an ideal resource for manufacturers to use as they start to complete a plan that details how to implement the NIST SP 800-171 cybersecurity requirements.
Each MEP Center has access to public and private sector resources that can help companies get into compliance with more confidence. Locations exist in all 50 states and Puerto Rico.