• Your Vendor, Your Responsibility: 10 Key Elements for Vendor Selection Criteria

    Supplier and Vendor Vetting is a critical security activity that is sometimes treated lightly by even the most secure organizations.  If you share client data with your vendors, it is imperative that they have at least the same level of security as your organization. Vetting activity can be performed in house or can be outsourced ... Read More →

    read more »
  • The Deadline for SP 800-171 Has Come and Gone: What to Know and Do If You Missed It

    For government contractors who deal with Controlled Unclassified Information (CUI), the deadline for compliance with DFARS 252.204.7012/NIST SP 800-171 came and went on December 31, 2017.  Did you make it? The purpose of 800-171 is basically two-fold: To ensure that those who handle CUI have in place standardized security procedures, allowing the government to assess ... Read More →

    read more »
  • NIST 800-53 Rev 5 Update

    Winter is Coming Reminder:  The planned winter release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations now has a date and it is December 29, 2017.  The draft version is available at https://csrc.nist.gov/News/2017/NIST-Release-First-Draft-SP-800-53-Rev-5.  We recommended that you start reviewing it now so you will know ahead of time how the ... Read More →

    read more »
  • Compliance for Small Businesses – PN Update

    Compliance for Small Businesses The security compliance burden is increasing for all businesses. This is driven by continuing and high-publicized security incidents such as the recent Equifax disclosure. The cost of compliance is especially onerous for small businesses that do not have the resources to meet these increasing security controls, not to mention the maintenance ... Read More →

    read more »
  • Your Supply Chain Security Deadline is Looming

    If your organization has a contract with DoD and that contract contains the DFARS 252.239-7018 clause you have until 31 December of this year to implement the requirements specified in NIST Special Publication 800-161. What is driving this emphasis on supply chain security? An increasing trend in cyber-attacks on DoD contractors via the supply chain. ... Read More →

    read more »

If your organization has a contract with DoD and that contract contains the DFARS 252.239-7018 clause you have until 31 December of this year to implement the requirements specified in NIST Special Publication 800-161.

What is driving this emphasis on supply chain security? An increasing trend in cyber-attacks on DoD contractors via the supply chain. For the production of major end items, the size and complexity of supply chains presents a large attack surface. So, the manufacturers of such items are endeavoring to meet the new requirements. However, the DFARS clause is not limited to large manufacturers. So almost all contractors that produce any end item for delivery will be forced to comply. And that deadline is looming.

Even if your organization is not presently subject to the clause, if you plan to bid on DoD contracts, you need to become NIST 800-161 compliant because you will only have a limited time after contract award to demonstrate compliance to the contracting officer. And, if you plan to bid with a large prime, it will almost certainly consider your company’s 800-161 compliance a pre-requisite to a subcontract (or even a teaming) agreement.

BSC systems has produced 800-161 compliant system security plans (SSPs) and Plans of Actions and Milestones (POA&Ms). So, we can help you meet the DFARS requirement even if you do not satisfy all of the 800-161 controls. The process begins with a brief analysis of your current security posture versus the 800-161 controls to document “gaps”. This is followed by modifying or creating a 800-161 compliant SSP that formally documents your processes and shows how you satisfy each control. Some controls might not apply to your situation. For these, we document the justification for excluding them. For others, the risk might be so slight that the cost of implementing the control is not justified. In these cases, we will perform a brief risk assessment required to support your decision to accept the small risk.

The existence of unsatisfied controls that do apply and for which risk acceptance is not justifiable does not mean that you automatically fail to be 800-161 compliant. But you must document a plan to eventually meet these controls. To that end, we will assist in the development of a POA&M which establishes the action to close each gap, who is responsible, and when it is expected to be completed.

The objective evidence of satisfied controls, the justification of non-applicable controls and risk acceptance together with a reasonable POA&M constitute a strong case for compliance. If these conditions are met, then BSC will issue a Letter of Attestation expressing our independent opinion that your organization is in compliance.

At this point, you might think that achieving and maintaining compliance is expensive and disruptive to your business processes. However, our experience, proven approach, and refined tools promote cost efficiencies while minimizing disruption.

Finally, we have two goals: for your organization to be recognized as 800-161 compliant by your customers and for you to have genuinely improved the security posture of your supply chain.