NIST 800-171 and CMMC Compliance for Government Contractors
With the announcement of the Cybersecurity Maturity Model Certification (CMMC), how the NIST 800-171 standard applies to your company.
by Kim Koster
5 minute read
The initial deadline for government contractors to be compliant with NIST SP 800-171 was December 31, 2017, but that passed and there was much discussion in the community whether this would be a focus for contracting officers. Recent events have brought cybersecurity to the fore with the announcement of the Cybersecurity Maturity Model Certification (CMMC) and it is clearly a very high priority now in the DoD community. This blog post helps explain how the standard applies to your company.
Every day, the news is filled with stories about cyber-attacks or breaches. What if one happened to your company, would you be ready? How do you get started?
One of the best ways to protect your company is to begin to define security processes, procedures, and controls, and the time to start is now.
Being prepared to handle cyber-attacks will ensure that your business operations and valuable data are protected. As a government contractor, you have the added responsibility of safeguarding our nation’s valuable data assets. To guarantee that risks are mitigated, cyber risks standards are now being applied to contracts that are issued by the DoD.
The standards are outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). The DoD requires contractors to demonstrate cybersecurity adherence for protection of Covered Defense Information (CDI) and Controlled Unclassified Information (CUI), or Unclassified Controlled Technical Information (UCTI). If there are any doubts about the nature of your data, make sure to discuss with your Contracting Officer (CO).
Exhibit 1 - Types of Information
Expect to see the following DFARS references in your contract. You will be expected to demonstrate compliance to these standards.
Exhibit 2 - DFARS Clauses - Cybersecurity
The three DFARS clauses above mandate that defense contractors adhere to the security requirements, demonstrating cybersecurity protections are adequate to protect information from attack. The security requirements are specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. There are 110 controls around non-classified controlled information. This sounds like a lot but keep in mind the type of information that is being protected. In many cases, these controls represent best practices that you may already have adopted.
14 control families:
- Audit and Accountability
- Identification and Authentication
- Awareness and Training
- Incident Response
- Media Protection
- Risk Assessment
- System and Information Security
- Physical Protection
- System and Communication Protection
- Security Assessment
- Personnel Security
- Configuration Management
- Access Control
Defense contractors must also have in place a mechanism and communication plan if they identify an incident or breach. The notification must happen with 72 hours of the breach. Incident reporting is done via the DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting & Cyber Threat Information Sharing Portal. Be prepared to address the necessary information on the form and provide supporting documents and evidence relating to the breach.
What Do You Have to Do to Reach NIST 800-171 and CMMC Compliance?
Contractors initially faced a deadline of December 31, 2017 to attain compliance with all the security requirements in NIST SP 800-171. Contractors that did not have all the NIST controls implemented were to submit a written explanation of how 1) the required security control(s) is not applicable, or 2) an alternative control or protective measure that is used to achieve equivalent protection. All controls were to be addressed, either through implementation, remediation, and/or documented explanation of non-applicability.
In June 2019 the DoD announced the Cybersecurity Model Certification which builds on, and formalizes, the requirements of NIST 800-171. The implications of CMMC are significant:
- All DoD Contractors will need to become CMMC Certified by passing an independent CMMC Audit to verify they have met the appropriate level (1 - 5) of cybersecurity for their business.
- The Federal Government will determine the appropriate level for the contracts they administer, and not all contracts will require the highest levels of security.
- The required CMMC level will be contained in sections L & M of Request for Proposals making cybersecurity an “allowable cost” in DoD contracts.
- Audits will be performed by an independent CMMC Third-Party Assessment Organization (C3PAO) that has been accredited by the CMMC Accreditation Body.
The following important milestones have been identified:
- Contractors should determine now where they stand regarding NIST 800-171 controls and the CMMC Level they want to achieve in order to be certified by the 2nd quarter of 2020.
- In November 2019 the DoD released additional drafts of the CMMC Levels and their associated NIST 800-171 controls.
- In January 2020 the official CMMC Levels and requirements will be released. The DoD will also announce the non-profit that will be in charge of the certification process who will start training independent Certified 3rd Party Assessment Organizations to conduct audits on DoD contractor information systems. Certifiers will be available soon thereafter to begin audits. There is likely to be a big backlog since there are an estimated 70,000 companies in the Defense Industrial Base requiring audits in a short time-frame and a very limited supply of certifiers/auditors.
- In June 2020 the CMMC requirements will be in Requests for Information.
- In late 2020 DoD contractors will need to be certified to bid on Requests for Proposal.
More information on Cybersecurity Maturity Model Certification is available from Office of the Under Secretary of Defense for Acquisition & Sustainment at: https://www.acq.osd.mil/cmmc/draft.html
Getting prepared for this requirement is important for your company. Unanet is participating in industry groups and working with partners to carefully watch each draft of the CMMC requirements prior to the final version being published so that we can support our customers CMMC certification efforts. You may consider hiring a consulting service to assist you on this journey. It is critical for the overall success of keeping and winning new government contracts.
Your Unanet Project Management and Accounting System
The Unanet hosted environment on the AWS cloud will provide the basis for your compliance. We have been diligent regarding compliance requirements as they have been published and updated.
Unanet undertakes, and passes an annual independent SOC 2 Plus audit which addresses the NIST 800-171 requirements.
This section discusses NIST 800-171 controls which relate to:
- Multi-Factor Authentication
- Identification & Authentication Controls
- Cyber Incident Reporting
- Data Encryption
To deliver robust support for individual customer’s requirements for multi-factor authenticated access both to Unanet and other information systems which contain CUI, Unanet integrates with leading providers of Identity and Access Management (IAM) tools such as OneLogin, Duo and Okta, and other providers, via SAML.
Identification & Authentication Controls
IAM vendors, such as those identified above, include robust capabilities related to logon management, and password complexity and reuse that satisfy the relevant NIST Controls.
Prompt Cyber Incident Reporting
Customers using Unanet’s cloud offering will be notified of any unauthorized intrusion.
The requirements for data encryption are met through use of SSL, and the availability of the Unanet cloud platform in a FedRAMP Moderate environment that uses data encryption at rest. Contact your Customer Success Manager for more information.
You should also be aware that all Unanet software is developed, hosted and supported in the United States, and exclusively by US citizens.
This is not a requirement of the NIST standard. It does, however, provide an important additional measure of assurance to government contractors. This is especially important in comparison to other industry ERP software developed and supported in countries known to conduct state-sponsored hacking of US organizations.