Companies wanting to contract with the U.S. Department of Defense must meet stringent guidelines regarding the protection of information. Ensuring compliance can be a complicated process for many contractors.
The guidelines are spelled out in guidelines called Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and were issued by the National Institute of Standards and Technology. They are commonly referred to as NIST SP 800-171. The guidelines were issued as part of a Defense Federal Acquisition Regulation Supplement, widely known as a DFARS.
Many contractors are wisely turning to NIST SP 800-171 consulting companies to assess their systems and develop solutions that meet the federal guidelines. If you need NIST SP 800-171 consulting in Washington DC, turn to Intelice Solutions for the assessment and deployment that will have you compliant quickly.
What Is NIST SP 800-171?
NIST SP 800-171 are a set of guidelines designed to keep data used by Defense Department contractors safely and secure. The guidelines state that the directive “is of paramount importance to federal agencies and can directly impact the ability of the federal government to carry out its designated missions and business operations successfully.”
Later guidance indicated that contractors must be compliant with the guidelines by December 31, 2017.
The guidelines spell out requirements across 14 categories:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Those 14 categories include 110 specific requirements that contractors and their suppliers must address,
The sheer depth of the requirements is daunting, recognizing the scope needed to discern and maintain compliance. While some of these are technical mandates, others focus on process and documentation.
How Can We Assess Our Level of Compliance?
A DFARS compliance assessment is a mandatory first step for contractors. Using a partner like Intelice, companies can be confident that a thorough gap assessment will be done. An analysis of the people, processes, and technologies in place will identify areas that are already in place and those that need to be addressed. This process also satisfies one of the 14 guidelines (Security Assessment).
The assessment gives your company a clear understanding of current compliance. It also results in a System Security Plan and related Plans of Action and Mitigation that can be used to reach full compliance. Both of these documents are also part of the DFARS requirements.
A System Security Plan requires contractors to develop, document and regularly plans that describe their system boundaries and operational system environments. The plans also need to document the implementation plans for the security requirements and how the security measures are related to and connected to other company systems.
The Plans of Action and Mitigation are intended to detail corrective measures that will be used to reduce or eradicate system vulnerabilities. There are several formats available for the creation of these plans, but each must, at a minimum, include the following:
- The identified deficiency
- The plan, including the people, processes, and technology that will be used
- The dates by which you are expecting to comply with the identified deficiency
What Does It Mean to be Out of Compliance?
A lack of compliance with the guidelines means you are no longer qualified to contract with the Defense Department. As of February 2017, 87 percent of all Defense Department contracts had the DFARS mandate included. The goal is to have 100 percent of all U.S. Army. U.S. Navy and U.S. Air Force contract to include the provisions.
If a supplier is non-compliant with the guidelines, they are expected to notify the Defense Department within 30 days.
Complying gives your company a clear upper hand in competing for contracts with the department and its agencies and branches.
How Are Remediation Plans Implemented?
After the gap assessment is complete, Intelice will develop a comprehensive plan for your company. We recognize that each supplier is unique, with different configurations, systems, software and data storage solutions. We work extensively with companies of all sizes. Our on-site evaluations of your policies and systems will look at your operation with the same keen eye that an auditor would when visiting your facility.
Our experienced teams will work in concert with your internal IT staffs to develop the proper processes and technology solutions. Our goal is to completely close any compliance gaps to ensure that your company can remain in compliance. We will show you which parts of your technology stack must meet the requirements and which do not, reducing your long-term costs for maintaining compliance mandates.
What Types of Data and System Protections Are Important?
Today’s companies need a layered security solution that goes far beyond a basic firewall and anti-virus software. Next-generation firewalls provide intrusion detection and monitoring of system activity to identify and contain users before data can be compromised. Automated software solutions can protect against virus, trojans, phishing schemes and other types of malware.
Authentication tools need to be rigorous, with multi-factor authentication and strict password guidelines and stringent data and system access protocols.
At Intelice Solutions, we work on compliance issues for companies in a range of sectors. We have the expertise and industry-specific experience to help assess, document and implement. We can help ensure that you are fully capable of working with federal agencies and continuing strong, revenue-generating relationships. To learn more about how we can help you maintain NIST SP 800-171 compliance, contact us today.