ForeScout Technologies Inc.

08/15/2018 | News release | Distributed by Public on 08/15/2018 09:04

What’s the 411 on NIST 800-171?


If you are reading this, the December 31st, 2017 deadline to implement 800-171 has passed! Does that mean all Department of Defense ()contractors are now compliant? If not, where should they go from here and what are the consequences of non-compliance?

Last year, the awarded an estimated $18.2 billion1 in contracts through its 36 federal accounts to companies that provide goods and services. Further, approximately $7.8 billion was awarded to research universities.1 Both groups are subject to 800-171 compliance. With this large volume of revenue at stake, contractors and universities must diligently comply with 800-171 to preserve their piece of the contract pie.

Unfortunately, there are a number of challenges in addressing compliance and the risks of not becoming compliant, which include loss of contracts; censure; or possible disbarment. According to KPMG's Director of Cyber Security, John Kupcinski, compliance mandates will only continue to grow. The DOD issued draft rules2 in April that will allow agencies to assess 'controls not implemented' and the relative risk of hosting Controlled Unclassified Information (CUI)/ Covered Defense Information (CDI) on contractor systems. Ultimately this guidance is intended to help agencies manage their vendor risk and could impact who new procurements are issued to as well as instruct how to maintain existing contracts.

Mr. Kupcinski also noted that civilian agencies are not far behind the . The 800-171 requirement has been seen in a number of RFPs issued over the past year. Additionally, the General Services Administration's ()regulatory agenda released in January3 included a plan to formalize cybersecurity rules for its government contractors. This anticipated rule will impact a significant number of government contractors. In 2016, 18,313 entities held Schedules and received over $45 billion from government agencies.4

As universities look to deliver on research, the 800-171 compliance process can seem daunting. It's important to start with a data mapping exercise says Mr. Kupcinski. 'Understanding what contracts with your university require 800-171 compliance is an imperative first step'. If there is any doubt, contact the contracting officer (CO) to confirm access to CUI/CDI.

Once in-scope contracts are identified, it's important to understand how CUI/CDI is transferred, stored, processed, and destroyed as it relates to these contracts. This will allow officials to pinpoint which systems will require the controls. In SP 800-171, the security requirements of the framework are organized in fourteen 'families' (See Table 1).5

Security Requirement Families
Access Control Media Production
Awareness & Training Personnel Security
Audit & Accountability Physical Protection
Configuration Management Risk Assessment
Identification & Authentication Security Assessment
Incident Response System & Communications Protections
Maintentance System & Information Integrity

Ultimately, a successful 800-171 program has several characteristics:

  1. Understand what contracts require CUI/CDI
  2. Identify what systems are used to store, process, transfer CUI
  3. Identify and engage with all stakeholders since implementing controls will take broad organizational buy-in
  4. Understand current security posture: developing a baseline will help articulate where control gaps are
  5. Prioritize remediation based upon risk
  6. Understand the requirements around continuous monitoring

Mr. Kupcinski is a Director in KPMG's Cyber security practice where he helps clients understand how to align their cyber agenda with dynamic business and compliance priorities. Additionally he is an expert on 800-171 and has spoken and written on this topic extensively. He can be reached at [email protected] if there are further questions on this topic.

1 As of September, 2017, reported by