The December 31, 2017 deadline for achieving compliance with NIST 800-171 has come and gone. If you’re still not compliant, you’re at risk for penalties, and chances of winning future contracts and bids are at great risk. The good news is it’s not too late!
It’s understandable if you haven’t yet actually implemented the required NIST 800-171 security requirements. In the past, the DOD permitted businesses to choose a future date for implementing required security controls through the Plan of Actions & Milestones (POA&M) policy. As a result, businesses and organizations used POA&M merely as a simple checkbox system, which led to weak System Security Plans and stalled control implementations. Today, the DOD has upped their game by insisting on stronger cybersecurity practices among its business partners. They’ve moved to an enforcement phase for cybersecurity compliance and requirements with recently released DoD Guidance.
On April 24th, 2018 the U.S. Department of Defense released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts, and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).
The DOD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts.
Failure to Implement the Required NIST 800-171 Controls Will Lead to Lost Bids, Vendors and Revenue
For the best chances of new contract awards and superior contract performance in the competitive cybersecurity market, you need to implement the Security Controls and heightened information security requirements as outlined in NIST SP 800-171.
NIST has a set of 110 security requirements that stem from the NIST SP 800-53, which governs the cybersecurity standards for government systems. The new guidance was also designed to help businesses assess and prioritize the most effective ways for them to begin implementing these crucial 110 security controls specified in NIST SP 800-171.
The DOD has a new tactic for reviewing SSPs and security requirements not yet implemented, which is to assign risk scores to controls. For example, security controls that are considered a high risk and haven’t been implemented pose an extremely high risk to the data being protected and your ability to win DoD contracts.
Security controls that haven’t been implemented are given a DOD Risk Value for each security requirement that range from the highest, which is 5 (highest risk and priority for implementation) to 1 (lowest risk and priority for implementation).
If you don’t meet the 110 security requirements, it will likely lead to losing potential contracts through poorly written SSPs and high risk scores resulting from a failure to implement the required controls.
Relax. We’ve Got This!
At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.
Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps firstname.lastname@example.org