Assessing NIST 800-171 controls for US Government Contractors has several unique aspects requiring attention that is much different from commercial cybersecurity audits:
• Likelihood of attacks
• Impacts of attacks
• Required responses
• Required documentation
• Continuous auditing and management
While each of the areas of listed above certainly apply to commercial cybersecurity audits, US Government contractors, notably in the supply chain for US Government projects, are a key source for data theft (exfiltration), malware insertion, and espionage.
Contractors are more likely to be attacked for reasons beyond simply financial gain. The data held by contractors, which NIST refers to as Controlled Unclassified Information (CUI), is sensitive and can be considered a honeypot target by nation-state actors as well as ordinary cyber-criminals.
The required incident or breach reporting responses are defined depending on the type of data breach, but go well beyond a simple “oops, we’re sorry” press release, and often involve law enforcement and in-depth forensic investigations. Any follow-up will have auditors read Contractors’ compliance documentation in-detail. And auditing and engagement will go well beyond simple yearly anti-virus software renewals.
This makes the utility of your cybersecurity skills in the Contractor space more highly valued, and more urgently needed than in the commercial space.
While commercial vendors may grudgingly engage your services as a way to mitigate financial or legal risks from occasional cyber attacks, US Government Contractor are required as part of their contractual obligations to certify and attest to their immediate and continued compliance with NIST 800-171 requirements as part of the contract solicitation responses they provide.
These requirements are the “entry ticket” for continued and growing business opportunities. But they also carry with them the consequence that marketing exaggerations are not only disfavored, but can be considered a felony-level fraud.
If contractors are asked to provide their Systems Security Plan (SSP) and Plan of Actions and Milestones (POAM), but do not have these documents, or cannot provide reasonable proof of underlying cyber assessments and remediation, then the contracting service (i.e., Navy, USAF, etc) of the Department of Defense relays deficiencies to the Defense Contractor Auditing Agency (DCAA), the Department of Justice (DOJ), and Federal Bureau of Investigation (FBI).
Depending on what they assess and decide, further agencies are likely to get involved.
As a result, Contractors pay close attention to requirements to the best of their abilities. While Contractors are not expected to be perfect in their cybersecurity implementations, they are expected and required to take reasonable steps and best efforts to secure their networks and comply with NIST 800-171 guidelines.
Recent discoveries of cyber violations have proven that these are not idle threats. The DOJ has already prosecuted two supply chain vendors/Contractors who failed a standard cyber audit of their NIST 800-171 compliance SSP, POAM, and underlying security reviews. These Contractors were immediately suspended from their active contracts, were barred from new contracts, and the executives placed under investigation for fraud against the US Government.
Effectively, these suppliers were out-of-business — and facing criminal investigations and charges, too.
Contractors are looking to you to use your expertise and active engagement to help avoid these consequences. This means that Contractors are motivated, engaged, and eager to engage with cybersecurity experts.