Securing the Supply Chain - Meeting NIST SP 800-171 R2

This blog post is a continuation of The CMMC Basics where we covered what the government wants you to protect, the interim rule, Cybersecurity Maturity Model Certification (CMMC) levels, and how to get started. In this blog we start the journey toward meeting compliance with CMMC. We begin with first meeting compliance with NIST SP 800-171 R2, the latest self-assessment and self-attestation standard. 

The United States government is challenged with securing the supply chain to reduce theft of intellectual property, collection of intelligence by foreign adversaries, and introduction of counterfeit products. The Department of Defense (DoD) must assure that the mission of the warfighter is not compromised, furthermore the research and development, ideas and product specification are not stolen. As we become more of an interconnected world, this will be more challenging, so you must take steps to assure that you are keeping your information safe as a Defense Industrial Base (DIB) vendor. If you are among the over 300,000 hardworking vendors supporting the DoD — be proud and be ready to do your part in helping America’s continued prosperity. 

In February, we hosted a webinar about the Cybersecurity Maturity Model Certification (CMMC) and DFARS Compliance. During the Q & A we received several questions regarding more in-depth information about the journey to CMMC compliance. So, we decided to put together a series on the Cybersecurity Maturity Model Certification and start with the basics!

DFARS and NIST 800-171 R2

Since 2017, the DoD has required DoD DIB vendors to comply with contract clause DFARS 252.204-7012. When you are compliant there, the next requirements are triggered for NIST SP 800-171 R2 Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.  Given that this requirement to meet DFARS (clause 252.204.7012) has been in place since 2017, the number of contractors not in compliance is staggering. Therefore, starting December 1, 2020, the DOD began taking a “trust but verify” approach (we covered DFARS 252.204-7019 in our CMMC Basics blog post) by having contractors upload the self-assessment and self-attestation results (System Security Plan (SSP) and Plan of Action & Milestones (POA&M)) into a DoD system, Supplier Performance Risk System (SPRS) or via email to webptsmh@navy.mil.

The Self-Assessment

When complying with DFARS 252.204-7019, you must conduct a self-assessment of compliance with NIST SP 800-171 R2 and receive a score. The maximum score is 110 points. The NIST SP 800-171 A provides a score for each control, so you must understand the scoring system. Each control has a scoring weight. Fully addressing a control gets a score of 1. Not meeting a control requirement is given a score of 0 or even a negative score.  A perfect score is 110 but you can achieve an overall negative score. The SPRS is the single source for contracting officers to view your compliance information to consider your company for an award. Also, if you are a subcontractor, you should communicate with your prime contractor about CUI and program requirements. 

DoD Assessment Methodology

NIST 800-171 and NIST 80-171A

https://www.totem.tech/how-to-generate-and-report-your-dod-self-assessment-score/

The 14 Security Control Families

For NIST 800-171 R2 there are 14 control families (a.k.a. categories) of security requirements, with a maximum of 110 controls that need to be self-assessed. At the time of self-assessment, you must generate a System Security Plan (SSP) to show how your company complies with the standards. If there are controls that are not met, you simply document them on a Plan of Actions and Milestones (POA&M) form, with a timeline of when you will meet compliance. Templates for SSP and POA&M can be found on the NIST website.  

The image below represents the people, process, and technology involved for a self-assessment.  

NIST 800-171 R2 Summary

https://www.complianceforge.com/reasons-to-buy/nist-800-171-compliance/

NIST 800-171 R2 Requirements and CMMC

Complying with both NIST 800-171 R2 and DFARS 252.204-7019, you are well on your way to meeting CMMC level 3 compliance. We will go into more details about CMMC in our next blog. Scoring and reporting to SPRS is your top priority.  Here is list of documents you will need: 

1. 1. 1. 1. NIST SP-800-171 R2 requirement, SSP and POAM&M templates for self-assessment 
         2. NIST SP-800-171 A  Assessing Security Requirement for CUI 
         3. NIST SP-800-171 A Control Scoring document 
         4. SPRS - Instructions to upload assessment report and access to SPRS

If you missed our CMMC and DFARS Webinar in February you might remember seeing this graphic! If you were unable to attend but would like to access the webinar on-demand you can! Check out the webinar here! It is important to note that if you are working towards a contract award, once you submit your self-assessment in SPRS, it will take 30 days from date of submission to post a score. You should account for such lead time. Also, if your company is not 100% compliant, a POA&M must be included. The self-assessment is good for three years (or sooner if required by a contract). 

Whatever you do, be as honest as possible with your self-assessment. DO NOT make a false claim, as in claiming to comply when you do not. False statements of compliance face prosecution under the False Claim Act. The DoD has used the False Claim Act to crack down on contractors. The Defense Contract Management Agency (DCMA) is auditing contractors for NIST 800-171 compliance. If you are found guilty of false claim, you may be barred from doing business with the U.S. Government along with other financial penalties.

Risk Management Framework and Meeting 100-171

The government assesses the architecture, security, and monitoring of government IT systems through the Risk Management Framework (RMF). It offers a holistic and comprehensive risk management process for each of its six steps. Each of the six steps in the RMF security lifecycle apply to meeting NIST 800-171 requirements.

• Categorize – the sensitivity of data that will be on/in the system. 
  • For each data set, you are looking at Confidentiality Integrity Availability of data and level needed.
    • Low
    • Moderate
    • High 
• Select – the appropriate security controls. 
• Implement – baseline security controls and create the systems security package (SSP). 
  • This document contains: 
    • Configuration management plan 
    • Privacy Impact Assessment 
    • Contingency Plan 
    • Contingency plan test 
    • Incident response plan 
    • Rules of behavior 
    • Security control assignment 
    • POA&M 
    • ATO request memo 
• Assess – the security package. 
  • Here you bring in an external auditor to read your SSP, vet it and test controls. You may have remediation work to do. 
• Authorize – the system (ATO). This is typically done by the CISO, CIO of the agency as they must understand the risk to authorize the system. 
• Monitor – using a continuous monitoring plan. This step is very important for continued compliance. 

Resources to Meet NIST 800-171 Requirements

There are number of resources available to help you meet 800-171 compliance. 

1. Do It Yourself (DIY) – There are templates and guides available. Below I breakdown the DIY steps. 
   
   • Assess Your Environment  
   • • Review DFAR requirement to handle CUI.
     • Document process and workflow containing CUI.
     • Account for existing security plans and processes.
     • Establish system component in the scope, evaluate against NIST 800-171 requirements.  
   •  
   • Remediate Deficiencies  
   • • Adequately mitigate the identified risk and update controls information in the SSP.
     • Test and evaluate the control.  
   • Document 
   • • Generate your SSP and self-attest.  
     • Document any controls falling short of requirement in a Plan Of Action & Milestone (POA&M) to identify the deficiency and schedule for remediation. 
   • Develop a Continuous Compliance Plan 
   • • The SSP is living document and must update as needed 
   • • Implement a continuous monitoring plan to assure continuous compliance. 
2. Applications and experts – There are number of Compliance Management Software available with some arrangement to contract an expert to assist.  These applications are great for organizing control information, policies documents, body of evidence, collaboration, and dashboards.  Please reach out to me for a list of companies I have researched. 
3. Consultants – if you simply want to delegate the responsibility to a company to handle all the activities to prepare the self-assessment and self-attestation document, there are number of cyber security firms.  Please reach out to me for the ones that I have researched and found to be competent with the compliance frameworks.

In Closing

If  you are a current DoD vendor and are signing the clause  DFARS 252.204-7019  in your contract, you now need to submit  a  SSP  for your self-assessment compliance along with any POA&M document. This will keep you in compliance with your contracting officer and make it easier to work with you on existing contracts as a prime or a subcontractor.  

The responsibility of securing the supply chain lies with all of us. By working together, we will help our government keep America prosperous and powerful for decades to come.   

GOVFTP Cloud is your compliant solution for secure exchange of FCI and CUI files. We wish you all the best on your CMMC journey. The FTP Today team is here to help in any way we can. If you are interested in a demo or have additional product questions schedule a demo today!