Dangers of not complying with DFARS/NIST 800-171
I am not a fear monger. I don’t try to use Fear, Uncertainty, and Doubt to influence people. Regardless, today, I am writing to raise up warning flags. If you sell products or are contracted to provide services to the Department of Defense (DoD) or if you have a grant from or cooperative agreement with DoD, then you must ensure you are protecting Confidential Unclassified Information (CUI) or more specifically, Covered Defense Information (CDI).
Time is running out and Defense Federal Acquisition Regulation (DFARS) 252.204.7012 describes how those working with DoD must be Safeguarding Covered Defense Information and Cyber Incident Reporting by December 31, 2017. At an Industry Information Day, in June, DoD unequivocally stated there will be no extension of this deadline.
Luckily, InfusionPoints is there to help you implement the DFARS-specified security controls found in National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations before the stated date.
WARNING #1: If you don’t comply with DFARS/NIST 800-171 your business is at risk!
InfusionPoints has spoken with DoD acquisition officials and heard that firms self-certify that they comply with DFARS/NIST 800-171. Conversely, if a vendor does not fully comply with or has “an alternate security measure” that is “equally effective” then the they must contact the DoD Chief Information Officer (CIO). Therefore, if your firm has not discussed its security posture with the DoD CIO then your firm is implying it is securing CDI.
If later a firm is audited by DoD and found not to have implemented DFARS/NIST 800-171, then the Department can levy numerous penalties on the scofflaw. In my opinion, the “best” case scenario would be a stop-work order where performance is suspended until CDI is secured. In the worst cases, DFARS 252.204-7009(b)(5) states that disregard of these requirements can lead to other criminal, civil, administrative, or contract penalties. These consequences may include:
- Breach of Contract damages
- False Claims Act damages
- Liquidated Damages
- Termination for Default
- Termination for Convenience
- Poor Past Performance
- Suspension/debarment
Yes, I am trying to stir you into action, but, these really truly are potential penalties for DFARS/NIST 800-171 non-compliance. In Fiscal Year 2015, the Army alone processed 1033 suspension, proposed debarment, and debarment actions.
WARNING #2: If you don’t comply with DFARS/NIST 800-171 your data is at risk!
There are nefarious parties, hackers, that want your data. They employ tricks and sneaky tactics, and can go undetected inside your organization for way too long. Per the non-profit Identity Theft Resource Center, US companies and government agencies suffered a record 1093 data breaches in 2016. This was a 40% increase from the previous year! Criminals want to are stealing the business plans, financial information, technical details, names, addresses, social security numbers, and other sensitive information that companies store.
The controls detailed in NIST 800-171 are within normal security Best Practices that any organization should be following. Implementing these controls will improve the overall security posture of your organization. Your firm will protect its data and ensure that CDI, the information provided by DoD or that you otherwise collect in support of DoD performance is safeguarded.
Help is available.
It does not matter if you are a large business or small business. It does not matter if you provide products or services. It does not matter if you are a prime or sub. Your business must comply with DFARS/NIST 800-171. Please, just know you have an independent trusted advisor to help you. Contact InfusionPoints today and let us guide you through this process. You are only three steps away from a secure environment. Our Build, Manage, and Defend services will ensure you are safeguarding DoD information.
References.
Cybersecurity Challenges, Protecting DoD's Unclassified Information
Industry Information Day, Cybersecurity Challenges - Part 1
Industry Information Day, Cybersecurity Challenges - Part 2
Industry Information Day, Cybersecurity Challenges - Part 3
Industry Information Day, Cybersecurity Challenges - Part 4