The increasing regulatory and cybersecurity compliance requirements for information technology have made it difficult for organizations to do business with government agencies. The federal government has been particularly focused on cybersecurity for nearly 20 years, and many contracts now explicitly require specific cybersecurity practices. Some of this language is vague, while other contracts are more stringent and may even prohibit companies from bidding without the appropriate security controls in place.
As a government contractor and managed service provider (MSP), we are committed to meeting all applicable regulations. We continuously evaluate our security posture, procedures, and policies to ensure that they meet the needs of our government clients. Our managed services team is trained and experienced in working with sensitive data, and we are confident that we can help you meet your cybersecurity requirements.
National Institute of Standards and Technology (NIST)
Becoming well postured with cybersecurity protections, policies, procedures, and training will ensure organizations are well positioned to continue work with government clients. The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, has become a leading organization for setting standards, guidelines, and best practices for mitigating cybersecurity risks.
Initially released in 2005, NIST Publication 800-53, Recommended Security Controls for Federal Information Systems was designed as a comprehensive risk management framework to protect federal systems. Over the years this publication has evolved to include all organizations, not just federal systems, and contains guidelines to protect 20 control families.
In 2010, Executive Order 13556 was signed to establish a uniform program for managing information that requires safeguarding or dissemination controls. Certain privacy, security, proprietary business interests, and law enforcement investigation information would need to be marked as Controlled Unclassified Information (CUI). Historically, this information would fall under the markings of FOUO, PII, SPII, PBI, CBI, UCTI, SBU, LES, and others. NIST was tasked with establishing a set of standards and guidelines to protect this information.
The standard that NIST established is NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and protects 14 control families across 110 controls. Although many of the control families are technical in nature, a large number of controls require specified policies, procedures, hiring practices, physical security, and training practices. The NIST 800-171 framework has been included as a requirement on many contracts under a self-attestation principle for many years.
Cybersecurity Maturity Model Certification (CMMC)
In 2019, the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) program to safeguard sensitive national security information within the defense industrial base (DIB). This new program aligns with the NIST 800-171 framework and includes additional controls. In September 2020, DFARS released an interim rule that requires government contractors to complete a NIST 800-171 self-assessment and report their score along with the dates of their most recent System Security Plan (SSP) and Plan of Action and Milestones (POAM) in the Supplier Performance Risk System (SPRS).
CMMC is in the process of rolling out CMMC 2.0, a 3-level framework where Level 1 (Foundational) for protecting federal contract information, Level 2 (Advanced) (NIST 800-171) is for organizations that manage CUI, and Level 3 (Expert) is for the highest priority programs with CUI. Level 1 will remain an annual self-assessment, Level 2 will require a triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO), and Level 3 will require a triennial government-led assessment.
NIST and CMMC Appearing in Many Government Agencies
Government contractors working with the DOD, GSA, NASA, universities, and research institutions that receive federal funds, and a growing number of federal, state, and local agencies are now being required to adhere to the NIST 800-171 framework. Achieving a high NIST score requires time, resources, adjustments in the way that business is conducted, and executive sponsorship to improve cybersecurity posture and practices. If you work with the government or are a subcontractor to a prime on government contacts now is the time to partner with your managed service provider to focus on safeguarding your systems. Continuing to improve your NIST score is a sign of a higher operational maturity level and may serve as a competitive advantage in your marketplace.