The U.S. Department of Defense (DoD) has released guidance for assessing contractor compliance with NIST SP 800-171 during the contract procurement process. Here, we focus on what is required of DoD contractors and sub-contractors to prove compliance with DFARS in their solicitations and contracts with the DoD in accordance with NIST SP 800-171.
In order to prove compliance two important documents must be established: A Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M) outline. How are the guidelines set forth in these two documents relevant during the contract award process? Keep reading!
- Admit Compliance: In accordance with DFARS 252.204-7008, the solicitation must include self-verification of compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171. The DoD interprets self-verification as admission of compliance, and implementation of NIST SP 800-171 as having a completed SSP document and a POA&M document in accordance with NIST SP 800-171. NIST provides templates (available in our resource section) for both SSPs and POA&Ms. DoD prime and subcontractors who do not have the resources or expertise to develop and implement an SSP and POA&M, see the Advance Technical Solutions DFARS/NIST 800-171 compliance services.
- Detail Enhanced Security Measures (if applicable): In accordance with DFARS 252.204-7008, if the requirements of the activity deem it necessary for the contractor to implement further security measures in addition to NIST SP 800-171, a Statement of Work (SOW) detailing the specifics of additional security measures must accompany the contract.
- Evaluation Process: The Compliance Guidance reveals how the DoD will conduct the assessment of a contractor’s compliance status. The DoD’s evaluation process is based on four objectives:
- Establish ‘Go/No Go’ evaluation criteria parameter. The Contractor’s SSP and POA&M will be scrutinized against this criteria and a satisfactory level of compliance will be established.
- Establish a separate technical evaluation, which would also require delivery of the SSPs and POA&Ms with an in-depth description of how compliance will be judged in Section M.
·Conduct on premise assessments of the contractor’s internal information systems using NIST SP 800-171A.
· Identify Tier 1 suppliers and their plans for implementing the requirements of the DFARS Cyber Rule to assure subcontractor compliance.
- SSP and POA&M: The contractor must incorporate their SSP and POA&M in their contract. These two documents become a contractual requirement and non-compliance would breach the contract. Contractors must also provide an SSP that meets the requirements of the Data Item Description (DID) which is included in the Compliance Guidance. While there is no prescribed format for an SSP, NIST provides this template. Another template to develop a POA&M can be found here. For DoD contractors and subcontractors who do not have the resources or knowledge to implement an SSP and POA&M, please visit the Advanced Technical Services DFARS/NIST SP 800-171 Compliance Solutions page for more information.
- On-Site Assessments: The contractor must include a SOW requiring the contractor to support an on-site government assessment, performed by an independent third party, of compliance of NIST SP 800-171 in accordance the guidelines set forth by the DoD.
- Identify Tier 1 Suppliers: The Data Item Description included in the Compliance Guidance requires contractors to complete the following for every Tier 1 supplier:
- Provide basic identification information
- Verify that it has enforced DFARS 252.204-7012 on the supplier side, as well as any additional security requirements
- State whether the supplier has done a self-assessment in accordance with NIST SP 800-171A; and provide a copy of the SSP and POA&M from that supplier.
Support and Consultation:
If you are a DoD contractor or subcontractor and have questions about the Compliance Guidance provided by the DoD, and how to develop the required documentation (SSP & POA&M), a qualified services provider, like Advanced Technical Solutions, who specializes in DFARS/NIST SP 800-171 Compliance can walk you through the process to ultimately achieve compliance. ATS specializes in DFARS/NIST SP 800-171 compliance and has provided compliance solutions for the top DoD contractors in the United States. The team at Advanced Technical Services is ready to walk you through this process with as much or as little help as your organization needs so you can achieve compliance, and tap into a new revenue-generating market.