The NIST SP 800-171 Self Assessment Ruckus

The NIST SP 800-171 Self Assessment Ruckus

Just Breathe

Let’s Take a Breath …


I hear from many that the Interim DFARS rule implementing cybersecurity clauses 7019, 7020, and 7021, extending clause 7012, has created quite a stir. For too many, a cursory glance at the rule has inspired organizations to demand NIST SP 800-171 self-assessments and summary score entries for themselves and all subcontractors with which they work. The entries are to be made directly in the government’s Supplier Performance Risk System (SPRS), or via email (after negotiating for a specific email address which includes an appropriate email digital certificate). Granted, a cybersecurity program self-assessment is a good thing. Except when it’s rushed, or the goal is not well understood.

Surprise

Imagine, if you will, that you represent a small business that provides a service to some element of the defense industrial base (DIB). You’ve never before received controlled unclassified information (CUI), nor covered defense information (CDI) as part of contract execution and there are no contract indications that you will. Your business strategy and goals don’t make the prospect of having to deal with CUI a current concern. After receiving a “we require immediately” email from your contract holder, you dutifully scramble to conduct a self assessment using the proffered NIST SP 800-171 DoD Assessment Methodology guide and calculate your summary score: negative(-) 145 out of 110. Doesn’t seem great does it? Do you dare enter that score in SPRS or share it with your contract holder?

Calm

But wait, assuming you’re fully compliant with 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, that score is appropriate. It is also the equivalent score of meeting the Cybersecurity Maturity Model Certification (CMMC) Level 1 standards (once CMMC is fully implemented). That score could well represent compliance with 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. Of course, FAR clause (52.204.21) is Basic Cybersecurity for those who do NOT handle CUI, CDI, or CTI. But, this distinction seems to be too often forgotten, or not appropriately emphasized.

Note: If your organization is implementing enough of a cybersecurity program to meet the FAR standard, you’re probably doing more than just the minimum, but this is just an example.

What Should I Do?

Review your contract/subcontract. Does the contract for which you’re responsible even include CUI? The existence of DFARS clause 7012 in a contract does NOT mean CUI/CDI on the contractor’s information technology systems is required as a part of contract execution. Become familiar with this document: Safeguarding Covered Defense Information – The Basics

Speak directly with your prime contract administrator. Clarify your understanding of the contract you’re supporting and the information categories related to its execution. Ensure both you and the contract holder clearly understand what types of information are being created, received, transmitted stored, and processed on YOUR information systems.

My hope is that after a good conversation, some may realize that they’re not required to either implement NIST SP 800-171 requirements or submit an SPRS entry. For others, this discussion may confirm the necessity.

If your contract holder is insistent and mandates compliance to the full NIST SP 800-171 set of requirements, perhaps there’s room to renegotiate rates. The government has stated that they expect increases in contract costs to cover these more stringent requirements. Invariably, your contract holder knows this. Perhaps you might want to consider this too.

Granted, the contract holder can make compliance criteria for the subcontractors and vendors with which they choose to do business. But, setting too high a bar will reduce the availability of those needed subcontractors and vendors. It will also drive increases in rates, thereby increasing costs back to the government.

Breathe…

Let’s make sure we’re appropriately evaluating our U.S. Government information protection responsibilities, and those of our subcontractors, suppliers, and vendors. Without the ruckus, preferably…

Dan bjorklund - cyber security specialist

Daniel Bjorklund

PRINCIPAL

With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner, mentor and innovator. He serves as a principal vCISO at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. He is also active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in Information Technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.

Search our Blog
Categories
Subscribe to our Newsletter
We’ve got a lot of good info to share! Sign up for the Assured Bridge newsletter and receive tips on how to remain compliant with Federal CUI standards.