S2 E6: Achieving NIST 800-171 Compliance Part 1
Listen to part 2.
Achieving NIST 800-171 Compliance Part 1
Jordan Eisner: Hello everybody. This is Jordan Eisner, host of Compliance Pointers.
I think Chris, you’re what? Six or seven months and Drew a little bit under that?
Chris Abacon: Yeah. That sounds about right.
Jordan Eisner: Okay. That sounds about right. That’ll fly. In that time, I have been fortunate enough to meet you at least once recently. Went out for some drinks and you guys had some on-site training and working with our Director of Cyber Services, Steve, recently.
But beyond the work I’ve seen from you, I don’t know you too well in terms of background. I’m going to let you guys introduce yourselves a little bit, which is a little different from how we’ve typically done it on the podcast.
I know that you two have known each other for a long time. You just shared you have the same birthday, so that’s good. You did military training together.
Chris, why don’t we start with you? Twenty-second intro, we’ll go to Drew, and then we’ll get into questions for the podcast today.
Chris Abacon: What’s going on, everybody? Chris Abacon. I’m a Navy veteran as Jordan already alluded to with a background in IT. I really worked the gamut of IT roles in the Navy from help desk to system administrator, to blue team analyst, to IT manager where I am blessed to manage seven sailors supporting a maritime operations center. Today, I am blessed to be working as a cybersecurity consultant at CompliancePoint.
Jordan Eisner: Thank you, Chris. Drew?
Drew Wilcox: Yeah. Good morning, everybody. Good afternoon on the East Coast. Good morning on the West Coast where I’m at. Yeah. Long story short about myself, I’m a retired Navy veteran. Spent about 12 years in the Navy working in various flavors of IT, from IT to security to communications where I spent most of my career in the special operations or the presidential support realm. Various roles from help desk to sysad, to doing some network engineering work, to managing a security program for the time in service. I’ve been at CompliancePoint for about four months. Excited to chat with you all today.
Jordan Eisner: Excellent. Chris, you’re in the Tampa area, right?
Chris Abacon: Correct.
Jordan Eisner: Drew, is it Montana?
Drew Wilcox: I am. We’re in Kalispell, so northwest Montana. For everyone who thinks it’s freezing cold, all of our snow is melting and I’m not happy about it.
Jordan Eisner: Yeah. Well, we haven’t seen snow here in Atlanta in quite some time. Any snow is good snow. Well, no, I shouldn’t say that because down here we like it, because we get it so seldom, but I know up in the North it’s actually irritating. Why a lot of people move south.
Yeah, Chris, that’s why you moved South, right?
Chris Abacon: That’s right. I’m from Minnesota.
Jordan Eisner: We’re talking about NIST 800-171, specifically what organizations need to do as they work toward achieving compliance with the standard.
First thing, I want to ask about contract language. Specifically, the F-A-R or I assume FAR and DFAR clauses. Beginning with FAR, which stands for Federal Acquisition Regulations. What is it? Who does it apply to?
Chris Abacon: FAR, specifically FAR 52.204-21, it refers to the Federal Acquisition Regulation Clause that really outlines the basic safeguarding requirements for federal contract information, also really known as FCI.
This was originally published in 2016. This regulation is applicable to all contractors and subcontractors working with the US government when they handle FCI. That clause is really designed to protect that FCI from unauthorized access and disclosure.
For example, two of them are limit information access to authorized users. Really ensuring that only authorized individuals can have access to FCI, protecting it from unauthorized use, release, modification, and deletion.
Another one is limit information system access to authorized devices. Really making sure that only authorized devices have access to systems containing FCI, preventing those unauthorized devices from assessing or extracting that data.
Drew Wilcox: Chris, you mentioned a bunch of good points. I know we’ve thrown the FCI acronym around a lot, but for the listeners that don’t understand what that is at a tactical level, FCI revolves around any non-public information that is exchanged with the government that focuses on a contract.
A couple of examples of what this could look like could be anything from contract performance reports to proposal responses for RFPs or RFCs, or sorry, request for proposals, RFPs, request for comments, RFCs, or just general contract information, emails exchanged between the DOD and defense contractor.
Those are some more granular levels of what FCI is, but a big factor with FCI that differentiates what we’ll be talking about here shortly, which is controlled unclassified information or CUIs. FCI as a whole is not technical in nature in any capacity. I just wanted to throw that in there.
Jordan Eisner: Fairly broad then.
Chris Abacon: It’s fairly broad for sure.
Jordan Eisner: All right. We talked about FAR. We’ll talk about DFAR, which stands for Defense Federal Acquisition Regulations.
Chris Abacon: I’ll be talking about a few DFARs here, but specifically I want to start out with DFARs 252, 204, and then I’m going to, for the sake of shortening this, I’m going to call it 7012. So 7012 refers to safeguarding covered defense information in cyber incident reporting. So this regulation really mandates defense contractors protect sensitive information, known as covered defense information, that resides in an information system.
So this is the clause actually that requires contractors to implement cybersecurity standards specified in NIST 800-171 to protect the confidentiality of CDI.
So really additionally, the regulation also requires contractors to preserve images of known affected information systems and all relevant monitoring packet capture data, really to make sure that the DOD has a good assessment and impact of any cyber incidents. So really, as you can see, this is a really important clause for defense contractors to maintain a strong cybersecurity posture.
Now, the second DFARs I want to talk to is 7020, which is the NIST 800-171 DOD assessment requirements. So this DFARs really requires and provisions and mandates defense contractors undergo assessments to validate their compliance with the cybersecurity practices outlined in 800-171. So this is part of that effort, a DOD effort to ensure that contractors have adequate cybersecurity measures in place to protect controlled unclassified information, which is CUI within their unclassified networks. So this clause requires contractors to complete a basic self-assessment, like a self-evaluation in compliance with 801-171 and submit the specific scores to DOD, which we’ll be going over more in detail later.
In some cases, like for big DOD contractors, the DOD might actually do a medium or high assessment on specific companies to make sure they do more of an in-depth contractor compliance. So we’re talking the big players that produce weapons, produce information systems for the DOD.
And then lastly, I want to talk about 7021, which is the Cybersecurity Maturity Model Certification requirements. So really, the CMMC requirements, DFARs. So this is more of an evolution of 7020 because 7020 only required a self-assessment. But now the DOD is going to be requiring that defense contractors obtain a CMMC certification that’s almost like a prerequisite to a contract award. Now, with the proposed rule and things like that, this is going to be pushed out a few years. But it’s always important for companies to make sure to stay ahead of these regulations.
Now, the main difference here is they’re mandating a third party assessment for cybersecurity practices. So that really shows that the DOD is really taking cybersecurity seriously in their space. And it’s really important that we know it’s cybersecurity in this space it’s also national security. Cybersecurity is national security. So keep that in mind when we’re reading a lot of these DFARs requirements.
Drew Wilcox: And Chris, you brought up the criticality of information and kind of how the DOD and the government is taking a very proactive approach and ensuring that everyone who’s handling different types of information is implementing certain safeguards and protective mechanisms really around CUI, which in a nutshell, all the acronyms here, as Jordan alluded to, are you know, defense DFARs. We try to keep it simple with 100 different acronyms in our database. They never end.
But, yeah, but, you know, focusing around that CUI, which is really, you know, the information that the government creates or an entity creates, you know, on the behalf of a government or on behalf of the government, excuse me, that kind of yields those safeguarding requirements that you briefly alluded to that we’ll talk about here shortly.
But, you know, comparing CUI to FCI, I mentioned earlier, a big thing with FCI is it’s not technical in nature. But, you know, ding ding, cat cats out the hat here. The technical in nature kind of falls on the CUI side of the house at this point.
So, you know, some examples of that could be, you know, Chris mentioned information systems that are provided to the government or created for the government of the DOD. You know, the vulnerabilities of those systems or PII, personal identifiable information of, you know, your employees or government employees, anyone inside your organization or various research and engineering data around your stones or whatever that product is that you’re providing to the DOD.
And it’s really it’s really interesting because I actually think Jordan said the word broad earlier. Broad encompasses this nicely. However, there is this really cool what’s out there on the CUI registry open source. You can go online. So if you’re really trying to figure out, like, you know, for example, hey, I’m a I’m a tax company. Does do I think CUI will apply to me or do I have CUI or could I see myself processing, storing and transmitting CUI?
If you go to the CUI registry, there’s examples of industries on there, everything from critical infrastructure to tax, as I mentioned, to legal or transportation. And you can click on your your specific industry. So how I mentioned the tax industry, you can click on tax when you click on the tax industry, it’ll give you examples. So, you know, for example, there’s federal taxpayer information and then you can click on that and I’ll tell you exactly what it is. And as it reads, federal taxpayer information is related to information in conjunction with taxpayers responsibilities with tax provisions to U.S. code. So you might hear said later on or many times that answers to the tester there. So if you’re if you’re curious of, you know, does this apply to me or will this apply to me? That’s a great resource that you can go to and kind of drill down to that very granular level to have a full understanding of if you fit the bill or not.
Jordan Eisner: Yeah. And what is that resource again?
Drew Wilcox: It’s called the CUI registry and I won’t call out the entire URL, but if you go to your favorite search engine and you type in the CUI registry, it will be there for you once you hit search.
Jordan Eisner: OK. Good to know. I’m thinking about the people listening to this podcast have heard FAR 520421, DFAR 7012, DFAR 7020, 7021, CMMC, DOD, CUI, FCI.
Chris Abacon: Definitely overloading with acronyms today. It’s a full gamut.
Jordan Eisner: We’re getting a feel. And then as Chris put it right, good thing to remember. Cyber security is national security. I like that.
Alright, let’s talk about the compliance requirements then up NIST 800-171 or what other acronym or short it’s known for. What are organizations facing regarding security controls and assessment requirements?
Drew Wilcox: Yeah, I’ll take the first one. So Chris, we mentioned the FAR 520421 broad statement as Jordan mentioned. So really, if somebody is looking at compliance requirements for NIST 800-171 and you process, store, transmit, FCI, it’s those 15 basic safeguarding requirements that Chris mentioned.
And there’s a big differentiating factor here that I’m going to make sure I draw a solid line of demarcation between is someone being NIST 800-171 compliant or someone being an organization seeking certification or OSC, another acronym for the bank there, Jordan, someone becoming an OSC for CMMC.
So if you’re trying to become NIST 800-171 compliant as it relates to the 15 basic safeguarding requirements in the FAR clause for FCI information, your assessment requirements really to yourself at this point is you can self-assess, you can do it annually, and then the gaps in your environment, you can document this in a plan of action and milestones. And let me be clear, that is not for seeking CMMC certification. So you’ve got the 15 controls, you can assess yourself, you can do this annually, you can document them in a POA&M, you can slow and grow.
You know, a startup coming in the business may not have all 15 of these, and that’s something we have to make sure that we’re understanding of because not everyone has everything. Now, when you cross the line, if you’re talking about a little bit further than 800-171 and you’re looking at CMMC level one, there’s a big differentiating factor here with those 15 control requirements. You can still self-assess. You do this annually. However, the plan of action and milestones that I mentioned, which identifies your tasks and your gaps compared to the framework you’re assessing against, you are not allowed to have one of those. All 15 requirements have to be met 100% or you cannot play ball, black and white. So I just wanted to throw out the difference between 800-171, security controls and assessment requirements and reporting, and then CMMC level one, security controls, assessment requirements and reporting.
And I did forget to mention one thing. On the CMMC side of the house, the outcome of that assessment for folks on FCI with the 15 controls, there’s something called a supplier performance risk score, which is how the DOD is judging risk of an organization. You do have to propose that, and that is something that is a new requirement that just recently came out back in the December 2023 proposed rule surrounding the whole 800-171 CMMC ecosystem.
Jordan Eisner: Chris, I think you brought the comment on the level two, but you know, one thing Drew mentioned was a POA&M, and we’ll probably reference that again. And for our listeners, Chris, Drew, you guys correct me if I’m wrong, but it’s a plan of actions and milestones, right? Remediation coming out of an assessment.
Drew Wilcox: you can also refer to it as corrective action plan, really organizationally dependent on how you want to reference it, but it’s the same thing.
Jordan Eisner: Yeah, well, of course we’re going to add more letters here.
Drew Wilcox: Yeah, absolutely.
Jordan Eisner: Why just do three?
Chris Abacon: Yeah, so just kind of getting back on level two, right again, with level two being specifically a CMMC term. So level two in CMMC is incorporating all 110 security requirements from NIST 800-171, right? But again, it might take into account other governmental organizations, say DOE, Department of State, whatever. They’re going to be looking at just 800-171. Not necessarily going through most likely a self-attestation process or some type of third party, some type of interior assessment or internal audit. But for CMMC cases, right? So CMMC level two requires that certification process.
So these practices, right, 110, they’re incorporating more rigorous cybersecurity procedures, measures, right? They really focus on documentation of policies and implementation of practices that establish and maintain the companies or organizations or agencies information systems posture. So the process at this level really requires an organization to establish, document and really resource their plans, reflecting them with maturity and institutionalizing their cybersecurity practices, right?
So in CMMC, you’re going to need a C3PAO. So it’s C3PAO, another acronym, right? So certified third party assessment organization to do an assessment of your practices every three years. And then within that, another self-assessment annually thereafter.
And again, as Drew mentioned, a POA&M, plan of action milestones for certain authorized controls. You can’t POA&M everything. There’s certain hard stop items out there that we’ll discuss later. But in this case for CMMC, these should be resolved within 180 days.
And after that, right, really after the initial assessment, that specific score taking into account all 110 security requirements is entered into the supplier performance readiness, supply performance risk system. We’ll just call it SPURS from now. So this is a system managed by the DOD’s contracting arm. So they have a repository of SPUR scores for each organization or each contractor seeking a contract, right? But yeah, that’s the big thing with CMMC level two and 110 security requirements.
Jordan Eisner: We’re going to have to attach an acronym list, I think, podcast for our listeners to look at as they listen.
OK, everyone, we’re going to actually wrap the conversation right there for this week. There is still a lot more to talk about with Chris and Drew, and we’re going to do that in next week’s episode. We’ll get into assessing your current security program against NIST 800-171 standards, laying out a roadmap for compliance. And Chris and Drew will talk about the strategies they use when helping our customers achieve their NIST goals. So be sure to check out part two of our NIST 800-171 conversation next.
You can also connect with me, Chris, and or Drew on LinkedIn.
Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.