Since becoming law in 2017, NIST 800-171 has governed the protection of Controlled Unclassified Information (CUI) by DoD contractors and subcontractors. Companies must adhere to the specific 110 controls of NIST 800-171 in order to be eligible for and complete government projects that involve CUI.
While companies may have been able to ‘’self-attest’’ to NIST 800-171 requirements in the past, the DoD has strengthened its review and enforcement. With the implementation of the DFARS Interim Final Rule in 2020, companies are now required to submit a scored self-assessment into the DoD’s Supplier Performance Risk System (SPRS) based on their compliance with the 110 requirements of NIST 800-171.
And, later this year as currently outlined by the DoD, defense contractors and subcontractors will have to certify—and potentially overhaul—their cybersecurity controls and policies to comply with Cybersecurity Maturity Model Certification (CMMC). Companies that fail to abide by the cybersecurity standards required by their contracts may face hefty penalties. Penalty fines, which can be as much as the entire contract value, combined with the potential loss of government contracts, could create substantial risks to businesses’ revenue streams.
With the expected timeline for the implementation of CMMC being May 2023, companies must prepare. Depending upon the level of cybersecurity maturity needed to meet requirements, it could take months from start to compliance, so it’s important to begin the process as soon as possible. If your business is already compliant, that also doesn’t mean the process is over as you need to ensure it has the continuous monitoring support needed to meet requirements.