If you wait to become 800-171 compliant, you won’t win contracts. That was the message we wanted to make loud and clear to over 200 federal contractors during last week’s Washington Technology (WT) webcast, Inside NIST 800-171: Cyber Requirements and the Risk of Non-Compliance.
Currently, all DoD contractors that handle, process or store sensitive types of government information must comply with the security controls described in NIST 800-171, and soon, civilian contractors will have to do the same.
The webcast topic was inspired by a Tripwire-authored article series published in WT last year that encouraged federal contractors to take the NIST 800-171 mandate seriously and provided steps to achieve compliance.
Since the DoD mandate took effect in December 2017, a number of companies have been doing the right things to ensure their internal infrastructure meets 800-171 requirements, but most have not. A strong indicator of this is the fact that DoD systems managed by contractors continue to be hacked as a result of a lack of the most basic controls.
In the webcast, we were able to share our experience assisting customers in their efforts to become compliant. The agenda covered:
- NIST 800-171: Mandate review/timeline
- Implications: Both DoD and civilian
- Consequences of non-compliance (known and unknown)
- Reasonable/affordable steps toward compliance
Since the article series was published, several new considerations should be driving contractors to accelerate their efforts:
- NIST moved up the release date on the initial public draft of SP 800-171, Revision 2. According to Ron Ross of NIST, revisions will include enhanced security requirements that promote penetration-resistant architectures, designing for cyber resiliency and survivability, and damage limiting operations.
- In June of 2018, the DoD Inspector General announced its launch of an initiative that aims to audit DoD contractors to determine if they have security controls in place to protect CUI.
Responsibility for compliance doesn’t stop at the prime contractor level. Compliance requirements and auditing both apply to sub-contractors, as well.
“You may be the prime and believe your program is compliant, but if you have a subcontractor that holds CUI, they are also responsible and so are you,” said Tom Taylor.
The bottom line is that companies in compliance with 800-171 will win contracts, while those who wait will be left behind. Vince Lombardi, the great NFL coach, considered the players that arrived 15 minutes early to practice to be ‘on time,’ while those who arrived at the practice time were considered ‘late.’
For any federal contractor that handles, processes or stores sensitive types of government information, you need to arrive at compliance on Lombardi time if you want to continue to win contracts. In other words, don’t wait.
To listen to the webcast in full, go to: https://washingtontechnology.com/webcasts/2019/02/wt-webcast-021319/webcast.aspx