Department of Defense (DoD) Memo Announces Plans to Finalize Rulemaking and Assess NIST 800-171 Compliance

The DoD is planning to issue a final rule in December establishing a procedure for DoD acquisition officials to perform assessments of a contractor’s compliance with NIST Special Publication (SP) 800-171.

According to Inside Cybersecurity, final rulemaking will cement provisions from a November 2020 interim final rule that [a] directed contractors to submit NIST 800-171 compliance scores into the Supplier Performance Risk System and [b] allow auditors from the Defense Contract Management Agency to conduct follow up assessments.

Failure to Comply Could Mean Lost Contracts

The June 16 memorandum reminded acquisition officials of NIST 800-171 requirements in place NOW and potential remedies for non-compliance if companies do not make progress on their submitted plan of action and milestones (POAMs). “Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

Reginald Jones of Fox Rothschild wrote a June 24 blog post concluding “The long and short of it is Read Your Contract! Search for DFARS 252.204-7012 and DFARS 252.204-7020. If contained in your contract, ensure that you have posted your summary level NIST SP 800-171 scores in SPRS, and if you have not done so, ensure that you have a plan of action outlining milestones of your path to compliance.”

Key Questions to Consider

• Is your organization compliant with NIST 800-171?
• Do you have an SSP or POAMs?
• Would you be prepared and pass an audit?

Ready Your Business with SSE’s NIST 800-171 and CMMC Gap Assessment

Our evidence-based NIST 800-171 assessment score is vital information needed for a SSP as well as any POAMs for controls not fully implemented.

Contact our team of experts today to schedule an initial consultation and to learn more about how we can help your organization understand and confidently complete its NIST 800-171 requirements.