NIST 800-171 Assessment for DoD Contractors and Subcontractors

Conducting  a security assessment is an essential part of keeping your data protected. It’s not just enough to implement security measures; you need to regularly assess the measures you have in place to determine their effectiveness.

As a contractor or subcontractor for government agencies or organizations, it’s vital that you regularly conduct assessments to ensure that you’re aligning with government standards. And, in addition to your own compliance, you need to ensure that your subcontractors have the appropriate security measures in place, too.

Find out what NIST (National Institute of Standards and Technology) 800-171 says about conducting an assessment, learn how to ensure you’re in alignment with NIST regulations, and discover how to assess your subcontractors for risk.

What is NIST SP 800-171, and How Does a Manufacturer Implement It?

Government contractors and subcontractors have a unique responsibility to protect the sensitive data they use each day. That Controlled Unclassified Information (CUI) is a valuable asset of the American government, and you have a responsibility to keep it out of the hands of unintended parties. NIST SP 800-171 provides guidelines on how federal contractors like your and your subcontractors can adequately protect this information. Using the security standards outlined in NIST SP 800-171, you will create a Cybersecurity Framework, supporting all of your security controls.

NIST SP 800-171 is specific regarding the circumstances in which you must protect your CUI. The publication provides three scenarios in which you should implement NIST guidelines:

• When CUI is housed within nonfederal organizations and on nonfederal information systems

• When CUI is housed on information systems that are not operated by federal agencies or organizations working on behalf of those agencies

• When there are no specific laws, regulations, or policies regarding how to protect CUI

If you partner with a federal agency, but use nonfederal information systems to house your CUI, you are required to take the appropriate steps to protect that data. Below are the steps you should take to ensure the CUI trusted to your organization is appropriately protected.

How to Conduct an Assessment in Your Organization

How well is your organization protecting your CUI? Before you can assess your subcontractors, you first need to assess your own organization and security controls. The only way to gauge whether or not your security controls are successful is by conducting an assessment.

To effectively assess your security controls, you need to invest time and resources into conducting the process effectively. You need to communicate with your employees throughout the entire process, keeping expectations clear. It’s also vital that you have a plan of action established before starting these assessments. To ensure that your assessments are conducted effectively, there are some preliminary actions you should take:

• Verify that you have created security policies that have been communicated to your employees.

• Document all plans and policies as outlined in NIST SP 800-171.

• Lay the groundwork for your assessments including:

• Establishing the objectives and scope of the assessments

• Notify employees that will be impacted by the assessments

• Assign resources to manage and conduct the assessments

• Create a communication plan to dictate the flow of information regarding the assessment to the applicable employees.

• Outline the schedule for the assessment, creating goals and timelines.

• Outsource the assessment to an outside service provider if needed, or select the members of your own team to manage and conduct the assessment.

• Collect all the needed assessment materials including:

• Policies

• Procedures

• Plans

• Specifications

• Designs

• Records

• Manuals

• Information system documentation

• Interconnection agreements

• Previous assessment results

• Legal requirements

Once you lay the groundwork, you’re ready to conduct your assessment. Gauge your NIST SP 800-171 security control readiness, and determine areas where vulnerabilities might exist. When you identify an area that needs to be updated or changed, take action in a timely manner to prevent any future data compromises.

How To Begin Assessing Your Contractors or Subcontractors

Once your own organization has been properly assessed and you have addressed any security vulnerabilities, you’re ready to assess the contractors or subcontractors you work with and with whom you share your CUI. These partners play important roles for your company, but you their security vulnerabilities could put your business and your CUI at risk. To ensure your partners are aligning with the security measures you have established, you need to conduct assessments on their businesses, too.

Like with your own assessment, an effective assessment of your contractors and subcontractors starts by laying the groundwork. Below are some steps you should take to ensure you can conduct an efficient assessment.

• Gain a thorough understanding of your partner companies’ information systems. For you to properly assess your contractors and subcontractors, you need to understand how these companies operate. This allows you to put security controls in context with how they are used in these organizations.

• Gain a thorough understanding of your partner companies’ information systems. You also need to know how they use their information systems and the role these systems play in daily operations. When you understand the system architecture and features, you’ll be better able to assess security measures.

• Connect with the employees responsible for managing your partner companies’ information systems. Discuss with them their responsibilities and their processes for implementing security controls.

• Schedule meetings with key personnel in your partner companies. It’s important to keep your partners in the loop about the schedule, processes, timeline, and scope of your assessments. They will have a better understanding of your expectations going into the assessment.

• Request all the materials needed for the assessment. In the same way that you need to gather materials for your own assessment, the same pieces of information are essential to gather to assess your contractors and subcontractors. As listed above, you need the following materials from your partners:

• Policies

• Procedures

• Plans

• Specifications

• Sesigns

• Records

• Manuals

• Information system documentation

• Interconnection agreements

• Previous assessment results

• Legal requirements

• Connect with company points of contact. It’s important that you have lines of communication open with the points of contact at your partner organizations. Carrying out these assessments successfully will require you to work closely with these points of contact.

• Obtain the results of any previous assessments. If any assessments have been conducted in the past, you should review these results to minimize the amount of time you will spend on this assessment. These results could be from audits, security inspections, or any other assessments.

• Develop an assessment plan. Finally, you need a developed and documented plan to provide to your contractors and subcontractors. This plan will be the entire basis for your security risk assessments.

Conducting security assessment allows you to minimize the risk of a data breach. The best way to protect your CUI is to ensure both you and your partner organizations have the appropriate security measures in place.

Explore this guide on DFARS compliance, and the security measures your organization should have in place.