NIST 800-171
NIST 800-171 Compliance Assessment
Organizations who intend to remain as a trusted U.S. government supplier must ensure their company and their entire supply chain meet the following minimum requirements for DFARS 252.204-7012 / NIST 800-171:
- 1. Self-Attestation of the contract obligations for compliance (attesting to compliance)
- 2. System Security Plan with the following provable elements (updated periodically):
- System Boundaries: Identify the network map, connections, and segmentations initially and through the life of the contract
- System Environments of Operations: Operating Environment where CUI is stored
- How the security requirements are implemented: Policy, actual evidence, and proof of the security requirements as active in real time
- Relationships or connections with other systems: Real-time situational awareness of all connections and system profile information
- 3. Plan of Action and Milestones: Detailed plan of cyber gaps and necessary remediations, regularly updated to show continuous improvements
- 4. Incident Response Plan: An approved process defined by the DoD for reporting incidents within 72 hours of the event on a non-negotiable basis proof of cyber resiliency, such as implemented “adequate” cybersecurity controls, cyber event monitoring and processes. Failure to provide proof if requested may lead to the loss of federal contracts.