Last year, to help government contractors navigate the uncertainty and complexity around NIST 800-171 compliance, I launched a training and security program with CyberDefenses. It includes monthly online classes and a 500-page System Security Plan (SSP) template, and I’m happy to report that the program is receiving good reviews. The SSP template uses FedRAMP style documents and provides Department of Defense and Federal Agency contractors and subcontractors (DFARS and FAR) a focused compliance solution for mandatory NIST requirements. The template alone is saving companies hundreds of hours towards compliance and documenting security processes.
The current question is, now that the DoD deadline is past and the Federal Agency version of the same deadline occurs in 2018, what’s next? Are DoD contractors being cut off for non-compliance? Are contracting officers at prime vendors ensuring that sub-contractors have all the tools necessary for success? Hardly. Communication from DoD and the Feds can be fragmented . The same holds true for the supply chain, which lacks a unified approach to information security.
One silver lining is DoD’s recognition that no overnight solution exists. DoD went public with a “revised” interpretation of “compliance” in December 7th testimony to the Senate Armed Services Committee. Ellen Lord, Defense Under Secretary for Acquisition, Technology & Logistics, testified
“The only requirement this year is to layout what your plan is and that can be a very simple plan and we can help you with that plan and give you a template for that plan and then just report your compliance to it.”
So, bottom line, the focus now (and rightfully so) is establishing a Plan of Action & Milestones (POA&M) to implement lasting security solutions that can be measured for success.
Join me on the BrightTALK February 8th webinar “The NIST 800-171 CUI Compliance Deadline Has Passed. Now What?” for more discussion on strategies for success in the new DFAR/FAR contracting reality.