Updated: Aug 11
Bluestreak™ Reading Time: 7 minutes Don’t be one of those companies that continues to delay the required implementation of enhanced cybersecurity, CMMC, NIST 800-171 practices. Especially now, during the ever-growing threat of cyberattacks, it is critical to secure not only your company’s data but also your customer’s data. Failing to do so could potentially jeopardize current contracts and prohibit future business if customers ask for proof of compliance.
Businesses that process, store, or transmit controlled unclassified information are required to implement National Institute of Standards and Technology (NIST) Special Publication 800-171, Revision 2 under the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. The deadline set for complying with NIST 800-171 was December 31, 2017. The good news is that it’s not too late. If a company handles CUI in any way, it must become both NIST 800-171 compliant and receive Cybersecurity Maturity Model Certification (CMMC) to continue to be awarded Department of Defense (DOD) contracts. These requirements are now receiving a lot of attention, which is putting pressure on businesses that deal with CUI. Many companies have put this off for years while others simply were not aware of the requirements. But recently, several businesses have had current contracts pulled, and are also ineligible for new contract awards until they become compliant. Generally, the timeframe for the NIST 800-171 implementation process takes 9 to 12 months to complete. Complying with NIST 800-171 is not only for those that handle CUI, but also a great best practice for protecting and safeguarding your systems, networks, and data. DFARS 252.204-7012
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is a flow-down that obligates DOD prime contractors to ensure their operations and supply chains meet NIST 800-171. All covered contractor information systems not operated on behalf of the government were required to implement security requirements outlined in NIST SP 800-171; customer and DOD audits are already happening. To meet these requirements, obligated companies must demonstrate acceptance of the DFARS 252.204-7012 by subcontractors and suppliers and must also show that adequate due diligence was performed.
NIST SP 800-171 Complying with NIST SP 800-171 is a requirement for all DOD primes, contractors, or anyone in their downstream supply chain of service providers. Not complying with NIST 800-171 suggests a company is practicing poor cyber security methods and not keeping up with competitors. Some customers may have already asked whether your company is compliant, and if not—they soon will.
NIST 800-171 outlines security standards for non-federal organizations that transmit, process, or store CUI as part of their working relationships with federal agencies. It also outlines five core cybersecurity areas: identify, protect, detect, respond, and recover. These core areas serve as a framework for developing an information security program that protects CUI and mitigates cyber risks.
NIST 800-171 consists of 110 separate security controls corresponding to 14 different control families. Within the 110 security controls, there are 320 control or assessment objectives that must be met to be considered compliant. NIST 800-171 is a contractual requirement to protect and safeguard CUI for the DOD, the General Services Administration (GSA), and/or NASA.
NIST 800-171 SELF-ASSESSMENT Scores for the NIST 800-171 self-assessment are based on a 110-point scale. Each of the 110 controls is assigned a weighted subtractor value of either 1, 3, or 5 points. Every control implemented earns that number of points. For every control not implemented, those points are subtracted from the 110 points. Scores range from between -203 to a maximum of 110. The first self-assessment score will most likely not be a perfect score of 110 points and could very well be a negative number. Submitting a perfect score of 110 on the first basic assessment to the supplier performance risk system (SPRS) could be viewed as a red flag. Keep in mind the following tips: Make sure scores are not inflated. This is serious business. Be 100% truthful with the score and have the evidence to back it up. In the recent past, companies that self-attested and submitted a perfect score of 110 to the SPRS ended up losing several existing major contracts from a large DOD contractor because they submitted an inflated score. They are also not being considered for future contracts until this is corrected and they provide evidence and accurate documentation of their compliance. Remember, a company can be audited at any time by the DOD or by a customer, who may or may not be a prime contractor for the DOD. Misrepresentation of compliance to the government is a violation of the False Claims Act and may result in penalties including loss of contracts, loss of ability to bid on future contracts, fines, or criminal charges.
The Cybersecurity Maturity Model Certification (CMMC) program is aligned with the DOD’s information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce the protection of sensitive unclassified information that is shared by the department with its contractors and subcontractors. The program provides the department with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
The CMMC 2.0 program has three key features:
• Tiered model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forth the process for requiring the protection of information that is flowed down to subcontractors.
• Assessment requirement: CMMC assessments allow the department to verify the implementation of clear cybersecurity standards.
• Implementation through contracts: After CMMC is fully implemented, certain DOD contractors that handle sensitive unclassified DOD information will be required to achieve a particular CMMC level as a condition of contract award.
It is highly recommended to retain the help of a qualified DFARS/NIST 800-171 consultant or a CMMC Registered Practitioner as a guide through this complicated process. NIST 800-171 compliance helps protect against malware, ransomware, and other cyber threats and helps avoid the extreme costs associated with security risks (a successful hack). Compliance mitigates the impact of lost or compromised data, secures sensitive information, and helps maintain
a trustworthy reputation with customers, and helps to avoid the ensuing legal trouble that comes after a cybersecurity breach.
About the Author
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, a division of Bluestreak | Bright AM™, and a regular editorial contributor for several trade publications providing technology, tips, and news for manufacturers. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, a machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe directly at email@example.com.
About Bluestreak™ Bluestreak™ is a powerful Manufacturing Execution System (MES) and a fully integrated Quality Management System (QMS), designed for the manufacturing environment and service-based manufacturing companies ( metal-treating/powder-coating, plating, heat-treating, forging, and metal-finishing), businesses that receive customers’ parts, perform a process (service) on them, and send those parts back to the customer). Companies need MES software tailored to specific functionality and workflow needs such as industry-specific specifications management, intuitive scheduling control for both staff and machinery maintenance, and the ability to manage work orders and track real-time data. If different work centers on the production floor aren’t “speaking” to each other via the MES, the data loses value and becomes disjointed or lost in disparate silos.
Bluestreak | Bright AM™ is an MES + QMS software solution specifically designed to manage and optimize the unique requirements of Additive Manufacturing’s production of parts and powder inventory usage.