Home / Blog / January-2018 / Revised NIST Standard Might Impact Your Compliance

Revised NIST Standard Might Impact Your Compliance

1/12/2018


BY: ELLIOT FORSYTH

The information security standard set forth by the National Institute of Standards and Technology (NIST), known as NIST SP 800-171, has experienced multiple revisions since its original publication in June 2015. Following these changes, many individuals are left wondering where their company stands with compliance and what steps they must take next. The following brief history and explanation of NIST 800-171 is meant to clarify these and other questions about the standard.

In August of 2015, the Department of Defense (DoD) added an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) which required all relevant companies with government contracts to comply with NIST 800-171 under clause 252.204-7008 and 252.204-7012. The original NIST 800-171 publication contained 109 controls that contractors had to comply with for all systems that contained Covered Defense Information (CDI), which includes Unclassified Controlled Technical Information (UCTI) and other categories of non-classified information that require special handling.

Since its release, NIST 800-171 has been superseded by NIST 800-171 Revision 1, published in December 2016 and further updated in November 2017. Among terminology changes, Revision 1 also included the addition of a new control (now 110 in total), as well as specific requirements for how a company can reach compliance. These requirements include the completion of an assessment of cybersecurity compliance, a System Security Plan (SSP), a Plan of Action and Milestones (PoAM) and an Incident Response Plan (IRP).

On September 21, 2017, the Office of the Under Secretary of Defense released a memorandum which stated that, under the DFARS clause, contractors must implement the version of the standard that was in effect at the time of contract award. Meaning, if a company signed a contract after Rev. 1 was in effect, they will follow the updated guidelines. If a company signed a contract before Rev. 1 was in effect, they may choose to leave their contract as it is or work to have their contract revised. Contractors then must work with contracting officers to modify their contracts to authorize use of the most recent version of 800-171.

To help with these contract modifications, the Office of the Under Secretary of Defense released a second memorandum on December 15, 2017 which requested that contracting officers handle contract revisions via the mass modification system. This system automates contract revisions electronically, making modifications simpler to identify and accomplish.

To put it briefly, as it stands now, all companies who have contracts containing DFARS clauses 252.204-7008 or 252.204-7012 and handle CUI should know the following information about the standard:

  • Contractors are bound to the version of NIST 800-171 that was published at the time of contract signage. However, without contract modification, they are potentially not protected or compliant based on current revisions.
  • Contracts signed under the original NIST 800-171 standard cannot necessarily consider completion of an SSP and PoAM as proof of compliance, as these documents were not listed as requirements in their contract. Contracts must first be modified in order to use these documents as proof of compliance.
  • Contractors can solicit their contract officers to have their contracts modified to include the latest version of 800-171, which will most likely be handled through the mass modification system.

The Michigan Manufacturing Technology Center (The Center) is available to assist companies who need to create and implement an SSP and PoAM. Learn more about how The Center can help your company reach compliance here.

The recent December memorandum, along with the September 2017 memorandum, can be found here.


MEET OUR EXPERT

Elliot Forsyth, Vice President of Business Operations
Elliot is Vice President of Business Operations at The Center, where he is responsible for leading practice areas that include cybersecurity, technology acceleration, marketing, market research and business development. Over the past two years, Elliot has led The Center's effort to develop a state-of-the-art cybersecurity service for companies in the defense, aerospace and automotive industries, supporting Michigan companies in safeguarding their businesses and maintaining regulatory compliance. 

 

Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at www.the-center.org.

Categories: Cybersecurity


Please click on the following link to subscribe to our blog:



Categories
Leadership/Culture Lean Principles Quality Management workforce Industry 4.0 Continuous Improvement Technology Advanced Manufacturing U.S. Manufacturing Innovation growth Data & Trends Sales & Marketing Manufacturing Happy Holidays The Center Smart Manufacturing cybersecurity Food Processing Six Sigma

Recent Posts
How to Be Found in Your Supply Chain
Leveraging Artificial Intelligence in Operations Management
Emerging Trends in Manufacturing for 2025
From Y2K to 2025: What Manufacturing’s Past 25 Years Can Tell Us About The Next 25
Could Veterans be the Answer to Your Workforce Challenges?

Post Archive
March 2025 (1)
February 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (1)
October 2024 (1)
September 2024 (2)
August 2024 (2)
July 2024 (2)
June 2024 (1)
May 2024 (1)
April 2024 (1)
Archives