<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

DFARS, Cybersecurity Frameworks

Reading Between the Lines of NIST SP 800-171 Rev 2 and 800-171B Drafts

down-arrow

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the core part of the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements, SP 800-171 focuses on protecting controlled unclassified information (CUI) for Department of Defense contractors. For some contractor information systems managers, these are the minimum security standards and for some, SP 800-171 is bringing the organization up to adequate security to secure DoD contracts.

The Changing Landscape of DoD Cybersecurity

For especially the lower subcontractors, the DFARS requirements required the establishment of systems security operations to reach compliance. To date, DFARS cyber compliance has been a self-certification process, with representatives signing off on their compliance with SP 800-171 with little activity from the DoD to assess compliance. However, as we’ve seen, the self-certification model has proved untenable from a security perspective and the DoD is in the process of developing a new process that does not rely on self-certification. These new revisions, especially SP 800-171B are indicators of that shift. The supplement to the core SP 800-171 that all contractors must follow, 800-171B appears to be the first indicator or a tiered system between levels of security for contractors.

The Cybersecurity Maturity Model Certification

While we have yet to see concrete documentation on the DoD’s new certification, the Cybersecurity Maturity Model Certification (CMMC), CyberSaint CPO Padraic O’Reilly predicts that SP 800-171B is the precursor to the four-tiered model: “The SP 800-171B is a precursor to the upcoming CMMC that the Department of Defense is currently working on - this supplement, though, appears to be targeted at primes and high-level subcontractors given the specificity of certain aspects.” said O’Reilly of the draft supplement. The higher levels of the certification would certainly point to contractors higher on the supply chain while the more easily achievable levels are more focused on the lower levels of the DoD supply chain.

Where We Go From Here

NIST SP 800-171 V2 was one of the most widely anticipated publications from the National Institute of Standards and Technology in 2019 and given the changing tune of the DoD on the merits (or lack thereof) of compliance self-certification the DFARS mandate specifically related to the security of CUI is up for a serious change in 2020 and beyond. While the specifics are yet to be seen, Rev 2 of SP 800-171 certainly gives insight into the early stages of these new processes and requirements.

You may also like

Do's and Don'ts Of Conducting a ...
on August 31, 2020

The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize to the plethora of ...

The NYDFS Cybersecurity Regulation ...
on August 26, 2020

In 2017 the New York State Department of Financial Services created the NYDFS cybersecurity regulation 23 NYCRR 500, which held financial institutions accountable for maintaining ...

Leveraging FSSCC Cybersecurity ...
on August 24, 2020

2020 is a critical year for harmonizing financial services cybersecurity regulations and unifying them under the fsscc cybersecurity profile.  The Financial Services Sector ...

Alison Furneaux
Harmonize FinServ Cybersecurity ...
on August 21, 2020

The Financial Services Sector (FSSCC) Cyber Security Profile is one of the critical pieces of information used for proving compliance across a host of standards necessary of ...

FFIEC Cybersecurity Compliance ...
on August 17, 2020

The Federal Financial Institutions Examination Council (FFIEC) is the federal agency responsible for enforcing and regulating financial institutions’ standards and protections. ...

Using a Risk Management Matrix to ...
on August 3, 2020

What is a Risk Management Matrix A risk matrix is a method by which organizations can define and categorize various potential risks facing the organization, often by the frequency ...