NIST SP 800-171: The Compliance Window is Closing Fast

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Does your company do business with the Department of Defense? Do you want that business to continue after 2017? If you answered yes to both of these questions, you need to know about Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012 and its potential impact on your business. As of December 2015, DFARS 225.204-7012 requires contractors to implement NIST Special Publication (SP) 800-171 standards “as soon as practical, but not later than December 31, 2017.” The title of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, should give you a sense of what is behind this directive. In practical terms, the Department of Defense (DoD) is telling its contractor community that if you want to be allowed to receive information determined by DoD to be of a sensitive nature, you must provide assurance to DoD that your own IT systems will provide an acceptable level of security for that information. Failing to do so after 2017 will preclude you from contracting with DoD.

DFARS 225.204-7012 requires contractors to implement NIST SP 800-171 standards, not later than December 31, 2017

DFARS 225.204-7012 is now included in all solicitations issued and contracts awarded by the DoD (except solicitations/contracts strictly for commercial off-the-shelf items). Subcontracting does not exempt you – the clause is flowed down in cases where covered defense information is to be passed to the subcontractor. As its title implies, the clause relates to Safeguarding Covered Defense Information. The clause also lays out cyber incident reporting requirements which, although highly relevant, are beyond the scope of this blog. You can read the full clause here.

So what, you may ask, is “covered defense information”? In short, it is the DoD version of “Controlled Unclassified Information” which is the focus of NIST SP 800-171. Here is how DFARS 225.204-7012 defines it:

“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—

(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

While achieving compliance may at first seem like a daunting task, keep in mind that the NIST standards are generally best practice standards that, in some instances, your company may already have implemented. Rest assured, however, that achieving compliance will take an organized and disciplined effort (there is a reason that DoD is not requiring immediate compliance). So if you have not started to implement a program to achieve compliance, time is of the essence.

The good news is that there are numerous resources available to help you achieve compliance. You might consider bringing in a third-party security auditor, well versed in the NIST 800-171 standards, to assess your situation and recommend an action plan. You might also want to assess your current contract portfolio – what security and reporting standards apply to your company right now. Establishing an accurate baseline is an essential first step to achieving compliance.

Monitoring and documenting continuing compliance

NIST SP 800-171 compliance is a dynamic process. Your IT systems, as well as government security standards, are always changing. Achieving compliance is only the start; maintaining compliance is an ongoing process. Automating your company’s monitoring program is the ideal way to ensure ongoing success in maintaining and documenting compliance on a continuous basis.

Achieving compliance is only the start; maintaining compliance is an ongoing process

SecurityCenter Continuous View® (SecurityCenter CV™) from Tenable automates the monitoring and assessment of NIST SP 800-171 technical security controls, helping you to measure, visualize and graphically communicate adherence to the standards. SecurityCenter CV offers several reports, dashboards, and Assurance Reports Cards® (ARCs) that are both ready-to-use for NIST SP 800-171 compliance and customizable to your business needs.

The Audit and Monitoring Dashboard is the best example of a SecurityCenter CV tool that aligns with NIST SP 800-171. The dashboard monitors the Audit and Accountability (section 3.3) and System and Information Integrity (section 3.14) sections, known as “families” in SP 800-171. These two families require the monitoring, analysis and reporting of unlawful, unauthorized or inappropriate system activity to detect potential attacks. For example, inbound and outbound communications traffic could be indicators of suspicious activity. Such behavior could trigger your immediate investigation and responsive actions to thwart an attack. Security Center CV, with its passive monitoring capability, delivers the continuous visibility required to detect the suspicious activity. Once detected, the enabling dashboard also helps you correlate your audit reviews, assessment and reporting processes, facilitating compliance with 800-171.

NIST SP 800-171 Audit and Monitoring Dashboard

You can read more about SecurityCenter CV SP 800-171 dashboards and ARCs on the Tenable website.

The DFARS deadline is closer than you think

If you work with DoD, now is the time to implement NIST SP 800-171 and to automate the controls with SecurityCenter CV

After a two-year compliance period, the DFARS deadline is fast approaching. If you work with DoD, now is the time to implement NIST SP 800-171 and to automate the controls with SecurityCenter CV. Don’t let non-compliance compromise your ability to win new contracts.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?