Doing business with Federal, state, and local governments has become increasingly more difficult for organizations because of increased regulatory and compliance requirements applied to information technology. For nearly 20 years the federal government has been focused on cybersecurity practices of government contractors and protecting data and systems from evolving threats. Many contracts have been updated to include language and requirements for cybersecurity practices. Some contract language has been vague while others have been much more defined and stringent, even prohibiting companies from bidding on contracts without the appropriate security controls in place.
As a government contractor and managed service provider (MSP), we have had to adhere to these regulatory changes. We continuously evaluate our own security posture, procedures, and policies as they pertain to supporting our contractual work and the work of our clients that have the same compliance requirements. Our managed services team is trained and well-versed in working within environments that contain data that requires safeguarding.
National Institute of Standards and Technology (NIST)
Becoming well postured with cybersecurity protections, policies, procedures, and training will ensure organizations are well positioned to continue work with government clients. The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, has become a leading organization for setting standards, guidelines, and best practices for mitigating cybersecurity risks.
Initially released in 2005, NIST Publication 800-53, Recommended Security Controls for Federal Information Systems was designed as a comprehensive risk management framework to protect federal systems. Over the years this publication has evolved to include all organizations, not just federal systems, and contains guidelines to protect 20 control families.
In 2010, Executive Order 13556 was signed to establish a uniform program for managing information that requires safeguarding or dissemination controls. Certain privacy, security, proprietary business interests, and law enforcement investigation information would need to be marked as Controlled Unclassified Information (CUI). Historically, this information would fall under the markings of FOUO, PII, SPII, PBI, CBI, UCTI, SBU, LES, and others. NIST was tasked with establishing a set of standards and guidelines to protect this information. The standard that NIST established is NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and protects 14 control families across 110 controls. Although many of the control families are technical in nature, a large number of controls require specified policies, procedures, hiring practices, physical security, and training practices. The NIST 800-171 framework has been included as a requirement on many contracts under a self-attestation principle for many years.
Cybersecurity Maturity Model Certification (CMMC)
In 2019, the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) program to safeguard sensitive national security information within the defense industrial base (DIB). This new program aligns with the NIST 800-171 framework and includes additional controls. In September 2020, DFARS released an interim rule that requires government contractors to complete a NIST 800-171 self-assessment and report their score along with the dates of their most recent System Security Plan (SSP) and Plan of Action and Milestones (POAM) in the Supplier Performance Risk System (SPRS). CMMC is in the process of rolling out CMMC 2.0, a 3-level framework where Level 1 (Foundational) for protecting federal contract information, Level 2 (Advanced) (NIST 800-171) is for organizations that manage CUI, and Level 3 (Expert) is for the highest priority programs with CUI. Level 1 will remain an annual self-assessment, Level 2 will require a triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO), and Level 3 will require a triennial government-led assessment.
NIST and CMMC Appearing in Many Government Agencies
Government contractors working with the DOD, GSA, NASA, universities, and research institutions that receive federal funds, and a growing number of federal, state, and local agencies are now being required to adhere to the NIST 800-171 framework. Achieving a high NIST score requires time, resources, adjustments in the way that business is conducted, and executive sponsorship to improve cybersecurity posture and practices. If you work with the government or are a subcontractor to a prime on government contacts now is the time to partner with your managed service provider to focus on safeguarding your systems. Continuing to improve your NIST score is a sign of a higher operational maturity level and may serve as a competitive advantage in your marketplace.