BE SECURE AND COMPLIANT WITH OUR FISMA, HIPAA & FEDRAMP COMPLIANCE EXPERTS. We have a 100% compliance success rate for all previous clients Learn More Request a Quote
  • NIST 800-53 Rev. 5 Update is Coming Soon…

    NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations is under final review which was just extended to May 29, 2020. The draft version is available at https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft. We recommended that you start reviewing it now so you can predict how the new standard will impact your current implementation and documentation. We ... Read More →

    read more »
  • SMS-Messaging Patients is Easy – But is it HIPAA Compliant?

    Mr. Bedman, a new homecare patient, isn’t feeling well.  So his daughter texts a nurse at his physician’s office. The nurse texts back with questions about symptoms and activity levels, and receives a reply prompting the nurse to consult with the doctor. After a few moments the nurse returns a text to the daughter with ... Read More →

    read more »
  • Does Your Business Need to Comply with GDPR?

    The requirements of the European Union´s General Data Protection Regulation (GDPR) for US companies who collect, maintain or process EU Citizen personal data will be significant and compliance is not an option. When GDPR takes effect on May 25, 2018, the European Commission will enforce the regulation around the world through administration of major fines. ... Read More →

    read more »
  • Your Vendor, Your Responsibility: 10 Key Elements for Vendor Selection Criteria

    Supplier and Vendor Vetting is a critical security activity that is sometimes treated lightly by even the most secure organizations.  If you share client data with your vendors, it is imperative that they have at least the same level of security as your organization. Vetting activity can be performed in house or can be outsourced ... Read More →

    read more »
  • The Deadline for SP 800-171 Has Come and Gone: What to Know and Do If You Missed It

    For government contractors who deal with Controlled Unclassified Information (CUI), the deadline for compliance with DFARS 252.204.7012/NIST SP 800-171 came and went on December 31, 2017.  Did you make it? The purpose of 800-171 is basically two-fold: To ensure that those who handle CUI have in place standardized security procedures, allowing the government to assess ... Read More →

    read more »

For government contractors who deal with Controlled Unclassified Information (CUI), the deadline for compliance with DFARS 252.204.7012/NIST SP 800-171 came and went on December 31, 2017.  Did you make it?

The purpose of 800-171 is basically two-fold:

  • To ensure that those who handle CUI have in place standardized security procedures, allowing the government to assess the readiness of a nonfederal organization to protect sensitive information, and
  • To make sure there are mechanisms in place to project information from privacy violations, cyberattack or any other form of theft, alteration or loss of CUI while carrying out federally contracted services.

All government contractors, such as defense department contractors, collection agencies, research organizations, legal teams or those that deal with HIPAA information, had until the end of the year deadline to put together and submit their safety plans to their respective federal agencies.  Plans had to have taken into account all fourteen “families” of concern; areas such as control over access to information, personnel security, physical protection and incident response.  These encompass over one hundred controls.

Given the fact that many nonfederal organizations may not have the resources to satisfy every security requirement as prescribed by 800-171, you still must have followed the guidelines and documented why your alternative controls are just as effective at protecting CUI.  Note:  If you use subcontractors or cloud service providers, they must meet 800-171 also.

The consequences of not submitting plans means current projects/contracts could be cancelled and those without plans will be barred from bidding on upcoming contracts. 

If you missed the deadline, what should you do?

The worst thing  you can do is ignore the requirement, even if you missed the deadline.

Your plan of action should now be to become compliant in preparation for an inevitable audit.  But given the fact that time is not on your side, you don’t want to try and play “catch-up” on your own. SP 800-171 compliance is not trivial.

BSC Systems can help you with a streamlined gap analysis and management approach to speed the compliance process while making a minimal impact on your business operations.  We will conduct a thorough review of your existing security program as well as your environment to determine which 800-171 controls apply to your contract operations.

Once the gaps are understood, we will help you fill those gaps using our proven documentation templates that meet or exceed all of the 800-171 requirements.  All requirements will be thoroughly supported by objective evidence so that you will withstand the coming audit.  At the same time, for those requirements that are not applicable, documentation will be provided to show they are not needed to your particular operation.  And for those specific requirements that are cost prohibitive to your business, we are good at finding existing or achievable compensating controls.

If, for some reason, this preparation still doesn’t fully satisfy the intent of 800-171, BSC Systems will either help you prepare a “Plan of Action and Milestones” to meet the requirements or draft a risk acceptance justification.

If you have missed the December 31, 2017 deadline for submitting your safety plan, all is not lost if you act now.  Don’t wait to contact BSC Systems to meet your SP 800-171 assessment needs.