What DoD Contractors Need to Know About NIST SP 800-171
Since Dec. 31, 2017, all Department of Defense (DoD) contractors and subcontractors that store or process Controlled Unclassified Information (CUI) have been required to comply with the minimum security standards outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). Failure to adhere to DFARS requirements may result in termination of existing DoD contracts.
DFARS is part of the NIST Special Publication 800-171 standard also known as “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” In total, 800-171 has 110 unique security requirements that are split among 14 broader sections, or “families.”
Considering the volume and specificity of these requirements, any organization contracting or subcontracting with the Defense Department must make sure that they have the requisite information security knowledge, expertise and resources to comply with NIST SP 800-171. Non-compliance, after all, could spell the end of a contractor’s relationship with the DoD.
Understanding the Broad Infosec Requirements
There are 110 granular requirements contained within the 14 main sections, and DoD contractors must comply with all of them. However, we’ve narrowed the broader sections down to seven of the most infosec-oriented categories, and the specific requirements down to 13. These aren’t necessarily more important than the others, but these specific clauses and requirements are the ones that DoD contractors will likely need the most help to manage.
Our recommendation is that contractors work with a security operations center (SOC)-as-a-service provider to help manage all of 800-171’s mandates, but especially the following:
- Section 3.1, Access Control: Granting or denying permissions to access and/or use information.
- Section 3.3, Audit and Accountability: Tracking, reviewing and examining adherence to system requirements.
- Section 3.5, Identification and Authentication: Manage user identities and adequately authenticate those identities for use with information/processes.
- Section 3.6, Incident Response: Establish well-tested incident-handling processes (e.g., threat detection, analysis, response, recovery) for organization information systems.
- Section 3.11, Risk Assessment: Periodically assess risks to information systems and data to effectively track and manage organizational risk.
- Section 3.13, System and Communication Protection: Monitor, control, and protect all organizational communications.
- Section 3.14, System and Information Integrity: Monitor all information and communication systems for indicators of threatening traffic and/or activity.
Complying with 800-171’s Standards
There are no exceptions to NIST SP 800-171: Any and all DoD contractors are expected to abide by the above requirements where applicable. That said, 800-171 recognizes that smaller organizations will have varying operational circumstances and need to “apply the security requirements to meet their situation.”
The “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” also acknowledged that not every organization can adhere to all requirements without assistance:
“Small manufacturers may not have the necessary organizational structure or resources to satisfy every security requirement. It is perfectly acceptable to implement alternative, but equally effective, security measures to satisfy a security requirement.”
What’s crucial, though, is that every DoD contractor or subcontractor has the ability to understand its operation environment with enough depth to:
- Understand exactly which requirements apply to their situation.
- Know what actions to take, solutions to deploy and processes to implement in order to comply with those requirements.
This isn’t exactly easy, particularly for the infosec-heavy requirements. Many small and medium-sized enterprises lack in-house cybersecurity expertise and are starved for the technical resources that enable functions such as continuous threat monitoring of IT and communication systems. This speaks to two larger truths about NIST SP 800-171:
- SMEs shouldn’t attempt to address all of its requirements alone; a single oversight could end its line of business with the DoD.
- They should not rely on ad-hoc implementation of point solutions, or the assistance of MSSPs that don’t fully understand their organization’s workflows. The former is entirely ineffective, and the latter is not equipped with the expertise or context needed to help contractors and sub-contractors cost-effectively cover all of 800-171’s bases.
To guide organizations that may struggle in the wake of DFARS, Arctic Wolf Networks had developed an abridged list of the core NIST SP 800-171 mandates to show how each can be addressed with the assistance of a SOC-as-a-service provider. For example, Arctic Wolf’s security engineers provide 24/7/365 threat monitoring for all client information systems. They also use aggregate log data to generate detailed reports for risk assessments as well as auditing and accountability functions.
These are just a few ways that SOC-as-a-service can address 800-171’s requirements. This Arctic Wolf datasheet goes into more detail.