5 steps to achieving NIST 800-171 compliance in the DoD acquisition process
What is the DFARS 7020 Clause?
Defense Federal Acquisition Regulation Supplement (DFARS) is a NIST-based cybersecurity framework for the defense industry. It helps suppliers and contractors identify and prioritize the protection of controlled unclassified information (CUI).
DFARS 7020 was released in November 2020 to strengthen the assessment of contractor compliance with the DFARS cyber clause. It aims to improve cybersecurity across the U.S. defense industrial base (DIB) by enforcing a process to verify that a supplier’s systems and processes are secure.
DFARS 7020 requires contractors to allow the Department of Defense (DoD) to access and audit their facilities, systems, and personnel when renewing a contract or conducting an assessment. Similar to the better known DFARS 7012, DFARS 7020 will appear in all DoD solicitations and contracts, task orders, and delivery orders.
The clause also requires contractors to ensure that all their subcontractors demonstrate results of a current assessment in the Supplier Performance Risk System (SPRS), per the DFARS 7019 clause, and include the content of DFARS 7019 in the subcontracting agreement.
Any vendors who plan to do business with the DoD must achieve DFARS 7020 compliance. Here are the 5 essential steps to take right away.
1. DoD NIST 800-171 Security Assessment
According to requirement 3.12.1 of NIST 800-171, contractors must periodically assess the security controls in their organizational systems to determine their effectiveness. The assessment should cover all 14 families and 110 security requirements.
You can use an internal team or a third-party provider to conduct this Basic Assessment. Follow the NIST SP 800-171 DoD Assessment Methodology to meet the minimum requirements of DFARS 7020. Then, submit the results through the SPRS.
2. Create a System Security Plan (SSP)
Per NIST 800-171 requirements 3.12.4, contractors must develop, document, and periodically update their SSPs. This plan should describe your system’s boundaries, operating environments, security measures, and relationships with or connections to other systems. Also, it must accurately reflect how you implemented the controls.
3. Create a Plan of Action and Milestones (POA&M)
NIST 800-171 consists of 110 security requirements. If shortcomings are uncovered during the assessment, contractors must develop and implement a POA&M to correct deficiencies and eliminate vulnerabilities in their systems. You’ll need to include the timeline of your remedial action as part of the SPRS submission.
4. Report the DoD Assessment Score to SPRS
To be awarded a DoD contract, you must have a current assessment in SPRS. Your submission will need to include:
- The name(s) of the System Security Plan (SSP)
- CAGE code associated with the contract
- A brief description
- Date of the self-assessment
- The total score (out of 110)
- The projected date on which your organization will attain a score of 110
5. Implement Controls and Execute the POA&M
Contractors must remediate the issues identified during the Basic Assessment to achieve NIST 800-171 compliance. This step often requires a significant amount of time and effort, so plan your timeline and expectations accordingly.
For many suppliers, this remedial step can be a strain on their internal resources. However, delays can cause you to miss out on opportunities and leave money on the table. That’s why many defense contractors choose to work with a third-party cybersecurity consulting service to implement the controls and achieve compliance.
Your external provider should have experience implementing NIST 800-171 controls for businesses similar to yours (e.g., size, vertical) and track records in solving the unique challenges of achieving NIST 800-171 compliance in the defense industry.
They should have the capabilities to execute complex controls in manufacturing, lab, and engineering environments and ensure that your SSP is updated to reflect the final implementation.
Cybersecurity for Defense Manufacturing
Cutting-edge cybersecurity is of the utmost importance for any business working in or supplying services to the defense industry.
This sector can be targeted by foreign entities attempting to spy on or sabotage global competitors, hacktivists wishing to make a political statement, and cybercriminals aiming to profit from the vast amounts of personal information stored in government databases.
Inovo InfoSec offers a full range of cybersecurity services to meet the needs of defense contractors. From various assessments and penetration testing to security governance and data protection policy, we’ve got you covered.