NIST 800-171 Cybersecurity Requirements: There’s a New Cyber Sheriff in Town

Is your small business a hacker's dream?

While you may think you’re too small to catch the attention of hackers, the statistics tell a different story. In fact, according to Cybint, 43 percent of cyber-attacks target small business. Now more than ever, it’s important to fortify your cybersecurity defense to withstand cyber attacks.

Utilizing NIST 800-171 Standards for Small Businesses

        As a security benchmark used by the civilian US government and Department of Defense, NIST 800-171 standards is a critical issue for small businesses. The DoD has now released the Cybersecurity Maturity Model Certification (CMMC) as the new cybersecurity standard for the DoD . This certification with the NIST 800-171 standard is part of the DFARS 252.204-7012 cybersecurity requirement. The  CMMC uses all of the cybersecurity controls are from NIST 800-171 but added additional controls from other cybersecurity frameworks. This article will continue to focus on NIST 800-171 as it includes the majority of the requirements for CMMC.

        If you think a bare bones cybersecurity solution is adequate, think again, because there’s a new cyber sheriff in town; the Defense Contract Management Agency (DCMA) Quality Assurance Specialists.

        During one of our recent assessments, a client mentioned that a DCMA Quality Assurance Specialist dropped off a contract clause checklist detailing their DFARS compliance. The checklist covered the disclosure, safeguarding, and reporting of cybersecurity incidents. All organizations that process Controlled Unclassified Information (CUI) are subject to the same NIST 800-171 standards and should be prepared for a DCMA Quality Assurance Specialist visit. To learn and understand the NIST 800-171 requirements in more depth check out our Cybersecurity 101 online course. 

What is included in the
DFARS 252.204-7012?

  1. The Contractor shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Government’s activities related to clause 252.204-7012, and shall not be used for any other purpose.
  2. The Contractor shall protect the information against unauthorized release or disclosure.
  3. The Contractor shall ensure that its employees are subject to use and non-disclosure obligations consistent with this clause prior to the employees being provided access to or use of the information.
  4. The third-party contractor that reported the cyber incident is a third-party beneficiary of the non-disclosure agreement between the Government and Contractor, as required by paragraph (b)(3) of this clause.
  5. A breach of these obligations or restrictions may subject the Contractor to the following:
    1. Criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United Stands; and
    2. Civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third party beneficiary of the clause.

(c) Subcontracts. The Contractor shall include this clause, including this paragraph (c), in subcontracts, or similar contractual instruments, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial items, without alteration, except to identify the parties.

What comprises the NIST 800-171

        NIST 800-171 standards provides detailed lists of security requirements contractors need to employ to meet the standards. Following is a list of the requirement “families”:

  • Access Control
  • Awareness and Training
  • Auditing and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communication Protection
  • System and Information Integrity

What are the DFARS
Cybersecurity Requirements?

DFARS Cybersecurity Compliance means “implementing” 3 things:

Our cyber security experts at Totem can help with all three.

Feeling overwhelmed by the NIST 800-171 requirements? Don’t Panic!
Let Totem Help.

When it comes to addressing NIST 800-171 standards, a knowledgeable IT manager doesn’t cut it. It’s a huge undertaking, requiring a specialized toolkit and step-by-step guidance. Our military-grade cybersecurity compliance solutions are built with small businesses in mind, so you can rest assured that we’ll help you meet the compliance requirements in the least painful, most affordable way. 

Don’t settle for bare minimum compliance, or worse, don’t stick your head in the sand and leave yourself vulnerable to cyber-attacks and data breaches.

If your organization is subject to DFARS 252.204-7012 the CMMC/NIST 800-171 standards, Totem can help through online education, hands on workshops, and compliance assessments. We also offer a Cybersecurity Planning Tool software to help companies better understand where they are in the compliance journey and the steps they need to take to meet and manage their compliance requirements.  

We keep up to date on all compliance changes because we are DoD contractors too.  Contact us today to receive a free estimate. Remember, a strong defense is a winning strategy!

–Adam Austin
Cybersecurity Lead


Updated 5/25/2022

Download the NIST 800-171 Assessment Methodology Sheet!

Like this post? Share it!

Get notified when new blogs are published!