NIST 800-171: Leveraging an MSSP for Compliance Frameworks

NIST 800-171: Leveraging an MSSP for Compliance Frameworks

For many businesses, compliance is becoming a way of life.  As cyber-attacks and data breaches are revealed and reported on a regular basis, new compliance requirements will continue to be implemented.  A couple of recent examples are the NIST 800-171 (Defense Federal Acquisition Regulation Supplement or DFARS) requirements for Controlled Unclassified Information (CUI) and GDPR regulations for protecting personal data of EU citizens.  In this post, we’ll focus on NIST 800-171, what we can expect from it this year, and how to maintain compliance throughout 2018 and beyond. NIST 800-171 and its Implications for 2018 Since the December 31st deadline has come and gone, many defense contractors and subcontractors may be curious as to how it will affect them. If a defense contractor currently has an existing defense contract that includes the DFARS clause, then they must already be on the road to compliance with their System Security Plan (SSP) and Plan of Actions and Milestones (POA&M) in place. Also, if a contractor plans to bid on a similar contract in the future, they must also have begun this process. However, just creating a POA&M and an SSP is not a “set it and forget it” thing.  A contractor must show continual improvement.  This is where a Continuous Monitoring Strategy (CMS) comes into play.  A contractor should be working to close the gaps identified in their initial Gap Assessment by completing tasks and fulfilling obligations on schedule within the POA&M, updating their SSP, as well as continuing to monitor their environment. DFARS consists of 14  families of controls totaling 110 controls, which can be found in the NIST Special Publication...