NIST 800-171 Compliance Services

Signed by President Obama in 2014, Executive Order 13556 mandated that all U.S. federal agencies must safeguard Controlled Unclassified Information (CUI) more stringently as well as helped to establish a unified policy for all agencies and government contractors to follow for data sharing and transparency.

This new focus on cybersecurity at the federal level led to the passage of the Federal Information Security Modernization Act (FISMA) in 2014, then NIST 800-53 and finally, the Department of Defense (DoD) enacted NIST 800-171 into law through DFARS 252.204-7012 by the end of 2017.

Today, NIST 800-171 is the standard set of security controls for all defense contractors and contractors handling CUI. Defense contractors must meet the requirements set forth by NIST 800-171 to demonstrate their provision of adequate security measures for sensitive data or risk being ineligible to work on defense contracts. NIST 800-171 dictates how contractors and subcontractors of federal agencies manage CUI in an effort to keep CUI safe within the federal contractor ecosystem.

The long awaited CMMC Title 32 Final Rule was published in the Federal Register on October 15, 2024. CMMC now takes effect on December 16, 2024. There are NO changes to Level 1 or Level 2 (NIST 800-171) requirements, and the Final Rule confirmed that CMMC will align with NIST 800-171 Rev 2. Compliance will be mandatory for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

A second rulemaking, the Title 48 Final Rule detailing phased contract implementation is expected by ‘early-mid 2025’. The Title 48 Final Rule will define the contractual obligations and enforcement of the CMMC program.

So in a nutshell, the CMMC program rollout begins on December 16, 2024…starting on that date companies will be able to submit self-assessments and obtain CMMC certification from a C3PAO.

CMMC makes it every Prime Contractors responsibility to ensure their subcontractors throughout their Supply Chain are certified and meeting the NIST 800-171 requirements based on the information that is flowed down to them. While we know many of the large primes have already been reaching out to their Subcontractors over the last several years, this trend will continue and pick up as Primes want to ensure they are able to compete effectively.

It’s important to be proactive and get an assessment completed so that you can share valid information with your Prime and get prepared. Given the DoD hasn’t defined which contracts will be in the initial phases of the rollout, it’s Russian roulette to wait!

According to the Department of Justice (DoJ), the False Claims Act is “the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.” Firms that fail to abide by cybersecurity standards in their contracts, such as NIST 800-171, may face hefty penalties. Those penalty fines, combined with the potential loss of new or existing government contracts, could create substantial risks to any defense contractors’ revenue streams. There also can be criminal risk for knowing and willfully making a false claim or statement, which can be criminally prosecuted under the False Claims Act.

Aerojet Rocketdyne and Guidehouse / Nan McKay and Associates are two entities who have already paid steep penalties for non-compliance identified by Whistleblowers. Collectively both organizations have paid over $20 million dollars in fines and penalties. Know the law and protect yourself with an evidence-based gap assessment.

NIST 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI), or in order to provide security protection for such systems.

YES! Organizations that process, store, or transmit CUI are required to be compliant with NIST 800-171 cybersecurity and network security standards. NIST 800-171 has been required since 2017.

Contractors and subcontractors that work with government agencies and have CUI and/or FCI must adhere to NIST 800-171 standards in order to complete government projects that involve handling CUI. This includes manufacturers that are part of a DoD, General Services Administration (GSA), NASA, or other federal or state agencies’ supply chain.

The estimated cost to achieve NIST 800-171 compliance largely depends on several factors, such as the size and maturity of the company. For the most accurate estimate, it’s best to contact SSE for an assessment.

Depending on the size of your company and what protocols are already in place, meeting NIST-800 171 requirements can take anywhere from 3 – 6 months for a mature IT environment to 6 – 9 months for a non-mature IT environment. If you utilize the NIST 800-171 and CMMC Gap Assessment from SSE, we will perform a detailed evidence collection, assessment, and analysis of your company’s existing environment and its readiness state for an audit or assessment submission. This analysis process takes roughly four weeks to complete and will provide a clearer picture of weak spots in your organization’s security practices and exactly where you stand on compliance. SSE can then assist with recommendations and solutions to assist with the remediation of gaps, or we can handle this for you.