If you are a DOD contractor and you are not complying with DFARS/NIST 800-171 your business is at risk!
DFARS 252.204-7009(b)(5) states that noncompliance can lead to criminal, civil, administrative, or contract penalties. These consequences may include: Breach of Contract damages, False Claims Act damages, Liquidated Damages, Termination for Default, Termination for Convenience, Poor Past Performance, Suspension/debarment
The University of Tennessee Center for Industrial Services uses a multi-step process to provide professional assessment and implementation of your company’s cyber security practices.
Step 1: Discovery - The professional assessment of your company’s practices related to the new standard. If necessary, a gap analysis will be completed to document the scope to be remediated
Step 2: Remediation - This phase supports all necessary fixes to ensure compliance.
STEP 3: TEST AND VALIDATE - This phase verifies that all technology and physical security aspects are working properly.
STEP 4: MONITORING/REPORTING - This phase establishes ongoing monitoring and scanning of the required enterprise network as required in the standard. It also creates a working process to log, remediate and report cyber-attacks.
DFARS NIST SP 800-171 Compliance
The U.S. Department of Defense (DOD) is getting serious about cyber security. The DOD put forth the Defense Acquisition Federal Regulation Supplement (DFARS) clause 252.204.7012 which states that government contractors (and in many cases subcontractors) must be NIST 800-171 compliant before December 31, 2017.
Defense Acquisition Regulation Supplement (DFARS) 252.204-7012 requires defense contractors to protect the security of Controlled Unclassified Information (CUI). The issue now for these businesses is that the technical deadline for compliance with NIST 800-171 was December 31, 2017.
If you are subject to DFARS clause 252.204-7012 and you are not compliant with the security requirements in NIST Special Publication 800-171 or have a detailed and credible Plan of Action and Milestones to become compliant in a short time, you are violating the terms of your contract.
Failure to show proof of compliance documents and progress towards compliance could result in your company losing contracts to competitors or others who are ensuring DFARS compliance.
What Does the DFARS Clause require contractors and subcontractors to do?
The full text can be found here: http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm
Self-Assessment Handbook - NIST Handbook 162
The National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook was developed to assist U.S. manufacturers who supply products to the DoD implement NIST SP 800-171 as part of the process for ensuring compliance with DFARS Clause 252.204-7012. It should be noted that this Handbook can be utilized by any DoD contractor to help them assess their NIST SP 800-171 compliance. The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.
The handbook can be found here: http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
This is a 127-page template, developed by the Georgia Tech Procurement Assistance Center (GTPAC), designed to help contractors create a Security Assessment Report, System Security Plan, and Plan of Action. The template is a Word document, designed for easy customization. It is intended to be used in conjunction with the NIST-MEP Cybersecurity Self-Assessment Handbook linked above.
For further assistance with complying with DoD’s contractual cybersecurity requirements, contact your local Solutions Consultant
Cybersecurity Assessment Tool
The NIST MEP Cybersecurity Assessment Tool (https://www.surveymonkey.com/r/Z7RVFWV) allows U.S. small manufacturers to self-evaluate the level of cyber risk to their business. The assessment is based on the National Institute of Standards and Technology’s (NIST) Cyber Security Framework. This tool is to be used only for guidance and does not imply approval by NIST MEP or UT CIS and cannot be used to demonstrate compliance.