What does NIST SP 800-171 mean?

What does NIST SP 800-171 mean?

What does NIST SP 800-171 mean?

NIST SP 800-171

NIST SP 800-171

As a small business in the Department of Defense (DoD) Government Contracting realm we do have cybersecurity experience.  We have done the DoD Information Assurance Certification and Accreditation Process (DIACAP) which has now been transitioned to the Risk Management Framework (RMF).  RMF is a six-step process developed by the National Institute of Standards and Technology (NIST) to apply risk management to Information Systems.

RMF Certification.  Very time consuming and costly.  My employees have been great to work through all the necessary paperwork with patience and expertise to get this certification for the Information Systems they are responsible for.

Last week, I met with Adam Austin, Reggie Hall, and Alli Bey of Haight Bey, Engineering and Security Solutions who started to put a small fear into my soul.   They informed me that a little over a year ago a revision to the DoD Federal Acquisition Regulation Supplement (DFARS) contained some new cybersecurity requirements for DoD contractors who process unclassified information.   The final document is the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.

If you are a government contractor, failure to meet these requirements will result in the loss of your contracts because the confidentiality of CUI in non-federal systems is now being mandated.

The requirements in DFARS clause 252.204-7008 are:

(b) The security requirements required by contract clause 252.204-7012, shall be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract.

(c) For covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government (see 252.204-7012(b)(2)) –

(1) By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (see http://dx.doi.org/10.6028/NIST.SP.800-171)that are in effect at the time the solicitation is issued or as authorized by the contracting officer, not later than December 31, 2017.

(2)

(i) If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of

(A) Why a particular security requirement is not applicable; or

(B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.

(ii) An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST SP 800-171 requirements in writing prior to contract award. Any accepted variance from NIST SP 800-171 shall be incorporated into the resulting contract.

What does this clause mean to me?

Wait…December 31, 2017?  Adjudicate?

What do I have to do?

The clause summarizes that DoD government contractors like me need to properly secure their OWN IT systems that process any deliverable due to the government.  Examples are the following:

  • Research and Engineering Data including Engineering Drawings, Associated Lists, Specifications, Standards, Process Sheets, Manuals, Technical Reports, Technical Orders, Catalog-Item Identifications
  • Data Sets
  • Studies, Analyses and Related Information
  • Computer Software Executable Code and Source Code
  • Monthly or Quarterly Reports

If you’re a DoD government contractor developing and submitting Contract Data Requirements List (CDRLs), you’ll need to ensure, on your own dime, that your Information Systems meet some stringent cybersecurity requirements by the end of 2017 just like the BIG government Information Systems.

In addition to securing your IT systems, you’ll need to ensure you have a process in place to continuously monitor your organization for cyber-incidents and be able to report any such incidents to the DoD quickly.

The NIST SP 800-171 contains 14 sections of requirements broken down into 110 required controls.  Each requirement is mapped to NIST SP 800-53 and ISO/IEC 27001 controls.  You may be familiar with these controls if you have been involved in securing government IT systems.   The following are those 14 sections and their appropriate “who” and “why.”

NIST SP 800 171 Requirements

NIST SP 800 171 Requirements

The 131 risk mitigating actions, called controls, are comprised of 670 individual assessments that a contractor will need to perform to verify the measures have been taken.

What can I do to mitigate this risk?

  1. Understand Controlled Unclassified Information (CUI).
  2. Conduct NIST 800-171 CUI Self-Assessment provided by the Common Solutions Group (https://library.educause.edu/resources/2016/9/nist-sp-800-171-compliance-template) to analyze the gaps between my organization and the NIST SP 800-171 requirements.
  3. Create my Plan of Actions & Milestones (POA&M) to implement corrections.
  4. Build cybersecurity into my bottom line and internal processes. I need to build and execute a process to ensure continuous monitoring and assessment of the controls to mitigate risk beginning with the most critical mitigation.
    1. The plan has to have tasks that validate and verify the plan is being executed.
    2. Tasks must be performed to ensure continuous risk assessment and progress on the POA&M.
    3. Develop and implement a process to identify and report cyber-incidents to the DoD
  5. Get my CUI Self-Attestation and CUI Deliverables including the following:
    1. Written Information Security Program (WISP)
    2. Configuration Management Plan (CMP)
    3. Information Security Continuous Monitoring (ISCM)
    4. Information System Contingency Plan (ISCP)
    5. Incident Response Plan (IRP)
    6. Security Awareness Program (SAP)
    7. Security Assessment Report (SAR)
    8. System Security Plan (SSP)

Just another thing for a small business that requires planning, people, and resources.  The good news is I have to write the POA&M, and that may be enough for the contracting officer to declare me in compliance.

Daunting.  Doable.

If you are a DoD contractor that hasn’t yet implemented NIST SP 800-171, your organization may want to start looking at it.  It could mean the difference between winning or NOT winning a contract.  More and more contracting officers will be requiring companies to be in compliance.  I would suggest you get ahead of the power curve.

If you are not sure if your organization is affected by this requirement reach out to the experts at Haight Bey, Engineering, and Security Solutions.

As DynaGrace Enterprises goes through the journey to this mandated tightening up of our own cybersecurity practices watch for subsequent articles about our journey.

Linda Rawson, CEO, and Founder of DynaGrace Enterprises, (http://DynaGrace.com)

A Women-Owned, 8(a) Minority, Small Business

Author:  The Minority and Women-Owned Small Business Guide to Government Contracts
Between POWER and GRACE lies EXCELLENCE
Facebook  |  Instagram  |  Twitter  |  LinkedIn – Personal  |  LinkedIn – Company

Goldman Sachs 10,000 Small Business

Goldman Sachs 10,000 Small Business

 

DynaGrace Enterprises awarded 8(a) STARS II Governmentwide Acquisition Contract (GWAC)

DynaGrace Enterprises awarded 8(a) STARS II Governmentwide Acquisition Contract (GWAC)

GSA STARS II GWAC

GSA STARS II GWAC

DynaGrace Enterprises, Inc. (8a, WOSB, SDB), a trusted partner with the Federal Government, has been awarded the 8(a) STARS II Governmentwide Acquisition Contract (GWAC).

The 8(a) STARS II GWAC is a competitive multiple award, Indefinite Delivery Indefinite Quantity (IDIQ) set-aside contract vehicle for small businesses that participate in the Small Business Administration (SBA) 8(a) program.  The efficient, flexible way to order Information Technology services and solutions worldwide, while accruing 8(a) socioeconomic credit, provides Federal agencies a simpler method for procurement of services.  Because DynaGrace Enterprises is also a 100% Women-Owned Small Business (WOSB), the agencies get credit in multiple areas.

The 8(a) STARS II GWAC program has a five-year base with one five-year option.  It has a $10 billion program ceiling and facilitates sole-source, also known as directed award, task orders up to $4 million each.

DynaGrace Enterprises has been selected under Functional Area NAICS codes; (FA1) NAICS 541511 – Custom Computer Programming Services, (FA2) NAICS 541512 – Computer Systems Design Services, and (FA4) NAICS 541519 – Other Computer Related Services.   DynaGrace Enterprises was selected based on cost and non-cost factors including the Contract Administration Plan (CAP), Marketing Action Plan (MAP), Past Performance, Price, and Responsibility.

Linda Rawson, President, and CEO of DynaGrace Enterprises said, “We have been anticipating this award for over two years. We have heard and read many success stories about companies that have prospered by using this GWAC effectively.  DynaGrace Enterprises is ready to capitalize on this contracting vehicle and to leverage the streamlined procurement path to serve our federal customers better.  We really appreciate the General Services Administration (GSA) for creating contract vehicles like the 8(a) STARS II GWAC to assure small business continues to lead innovation in meeting government technology challenges.”

DynaGrace Enterprises is an advanced IT services company delivering high-quality, high-value solutions to the Federal Government in the areas of Information Technology, System Integration, Cybersecurity and Writing services.   DynaGrace Enterprises has the vision to provide pristine service while making the contracting process simple.  The company was founded on the belief that in service to the Federal Government and Commercial clients, we have a critical obligation to the American people, to perform at the highest level for the good of the country.

Customers can learn more about DynaGrace Enterprises by visiting the company’s website at DynaGrace.com or by calling the company directly at 800-676-0058.

The official press release is here -> http://www.pr.com/press-release/720563

Size Matters:  The Ostensible Subcontractor Rule

Size Matters: The Ostensible Subcontractor Rule

Size Matters

Size Matters

First, what in the world does “Ostensible” mean?

According to dictionary.com, is an adjective and has two meanings:

  1. Outwardly appearing as such; professed; pretended: an ostensible cheerfulness concealing sadness.
  2. Apparent, evident, or conspicuous: the ostensible truth of their theories.

Does anyone else find this humorous?  Really?  Cheerfulness concealing sadness?  The Ostensible Subcontractor Rule is anything but cheerful.

An “Ostensible Subcontractor” is one that “performs primary and vital requirements of a contract,” or is a subcontractor that the prime contractor is “unusually reliant” upon.  The Small Business Administration (SBA) regulations affiliate a prime contractor with all of its ostensible subcontractors for size determination purposes.

Affiliation is not a word anyone wants to hear in the government contracting arena.  Especially after an award has been made.

Affiliation can disqualify companies for set-asides due to a partners combined size.  The location and industries are not relevant.  It is about power and control of the large subcontractor over the prime contractor.  The “Ostensible Subcontractor” rule is often the most common type of affiliation found between a prime contractor and the subcontractors with which it teams.

The purpose of the rule is to prevent other than small firms from forming relationships with small businesses to evade the SBA’s size requirements.

The key for a Small Business to avoid falling victim to the ostensible subcontractor trap is to ensure that its proposal, proposal-related documentation, and teaming agreements do not indicate, on their face, that an ostensible subcontractor relationship exists.

Specifically, small businesses must be careful not to “oversell” the technical expertise, past experience, or work to be performed by their subcontractors in the proposal or proposal-related documentation.

While it may be necessary for a small business to emphasize the positive qualities of a large subcontractor to compete effectively for a contract award, the small business does not want to make it evident that they are solely relying on the large subcontractor to perform.

A small business must ensure that it proposes to perform a significant portion of the contract work or management with its own resources or to spread this work and management out amongst multiple subcontractors to ensure it is not “unusually reliant” on one subcontractor.

According to the article, Ostensible Subcontractor Affiliation: Beware These “Four Key Factors,” Says SBA OHA, the proposal in question had a small business prime contractor that perform 51.1% of the contract services, and the large business would perform the remaining 48.9%.  Of a total workforce of 20 personnel, 10 employees would go to the prime contractor and 10 employees would work for the subcontractor.

A very typical scenario is to split the employees between two contractors to meet the subcontracting percentages.

The four factors from this article that can contribute to this affiliation are:

  1. The proposed subcontractor was the incumbent contractor, and not eligible to compete for the procurement.
  2. The prime contractor planned to hire the vast majority of its workforce from the subcontractor.
  3. The prime contractor’s proposed management previously served with the subcontractor on the incumbent
  4. The prime contractor lacked relevant experience and was obliged to rely on its more experienced subcontractor to manage the contract.

As a small business, you must be very careful to follow all the rules completely.  The small business mentioned in this article tried to fight the size standard ruling and lost.

Pin It on Pinterest