If you are service provider/vendor with government customers, then you need to know about the Defense Federal Acquisition Regulation Supplement (DFARS) 48 CFR 252.204-7012 – Safeguarding covered defense information and cyber incident reporting which requires compliance with NIST 800-171.
You have less than three months to be compliant with NIST 800-171. For companies who have not started yet; you are way behind the times and have barely enough time to get everything up to speed if you deal with Confidential Unclassified Information (CUI) or Covered Defense Information (CDI).
As Cyber Self-Defense has heard from companies that they do not know where to go or how to accomplish this very daunting task, we felt that we should provide some guidance. If this guidance still seems daunting, please let us know and we would be happy to assist your company in meeting these requirements.
Whatever you do, we suggest that you do take action and ensure that you are compliant; If you are not compliant by December 31st, it seems that you will be in breach of your contract with the government.
Cornell Law School publishes the regulation at; https://www.law.cornell.edu/cfr/text/48/252.204-7012; here are some key aspects of the law (please read the whole thing, on their site, if any of this applies to you);
(b)Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the you following information security protections:
(1) For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply:
(ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract.
(2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause, the following security requirements apply:
(i) Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at https://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.
(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at firstname.lastname@example.org, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
(B) The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.
(C) If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract.
(D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
(3) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.
NIST has published a slide presentation that can be found here; https://interact.gsa.gov/sites/default/files/Wed%20AM1-SSCA-09-02-2015.pptx.pdf
NIST 800-171 can be found here; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf