Blog

As cyber threats become more numerous and sophisticated, protecting information becomes more challenging – and a top priority.  With this in mind, the National Institute of Standards and Technology (NIST) developed its Risk Management Framework to help ensure that Government agencies understand and document their risks and develop levels of security controls appropriate to their unique missions and operating environments.

Classified information is an obvious starting point, but a real threat is unclassified controlled technical information (UCTI), which both Government contractors and their networks of subcontractors and suppliers pass back and forth on a regular basis.  To address this vulnerability, NIST created Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which defines how the network of Government agencies and their contractors and subcontractors should handle and exchange UCTI.

NIST SP 800-171 may have started out as a roadmap to improvement, but the Department of Defense (DoD) has made it a mandate, incorporating its security controls into the Defense Federal Acquisition Regulation Supplement (DFARS) via provision 252.204-7008. Herein lies the source of anxiety for Government contractors, who must address compliance within their own enterprise, with their subcontractors, and with their suppliers as well.

The most recent iteration of the DFARS provision extends the deadline for NIST SP 800-171 compliance to December 31, 2017.  This rule also requires contractors to notify the DoD Chief Information Officer (CIO) of any NIST SP 800-171 shortcomings at the time of contract award – for the contractors themselves and their subcontractors and suppliers – within 30 days of award.  In other words, Government contractors must intimately understand their cybersecurity postures, as well as those of all of their global, multi-tiered networks of suppliers and subcontractors, and have a plan of action to achieve full 800-171 compliance in less than two years. That being said, perhaps a certain level of panic is justified.  Getting your own house in order is tough enough; how in the world are you supposed to do it for your hundreds or even thousands of suppliers with varying levels of IT resources and cybersecurity maturity?

Exostar is here to help.  We have implemented a solution that some of the world’s largest Government contractors are using to track DFARS compliance, including the flowdown mandate to subcontractors and suppliers.  These contractors rely on our solution today to capture relevant information about themselves and their suppliers to:

• Record overall compliance for each of the security controls specified in 800-171.
• Access a compliance score for each of their suppliers.
• Develop a comprehensive plan of action for themselves and their suppliers that they can submit to the Government within 30 days of contract award.

A clear understanding of DoD’s DFARS requirements – coupled with access to a secure, proven, cloud-based solution to identify cybersecurity shortcomings and compliance gaps throughout the subcontractor and supplier network – gives Government contractors all the tools they need to mitigate risk and achieve a competitive edge.