The Deadline for SP 800-171 Has Come and Gone: What to Know and Do If You Missed It

For government contractors who deal with Controlled Unclassified Information (CUI), the deadline for compliance with DFARS 252.204.7012/NIST SP 800-171 came and went on December 31, 2017.  Did you make it?

The purpose of 800-171 is basically two-fold:

  • To ensure that those who handle CUI have in place standardized security procedures, allowing the government to assess the readiness of a nonfederal organization to protect sensitive information, and
  • To make sure there are mechanisms in place to project information from privacy violations, cyberattack or any other form of theft, alteration or loss of CUI while carrying out federally contracted services.

All government contractors, such as defense department contractors, collection agencies, research organizations, legal teams or those that deal with HIPAA information, had until the end of the year deadline to put together and submit their safety plans to their respective federal agencies.  Plans had to have taken into account all fourteen “families” of concern; areas such as control over access to information, personnel security, physical protection and incident response.  These encompass over one hundred controls.

Given the fact that many nonfederal organizations may not have the resources to satisfy every security requirement as prescribed by 800-171, you still must have followed the guidelines and documented why your alternative controls are just as effective at protecting CUI.  Note:  If you use subcontractors or cloud service providers, they must meet 800-171 also.

The consequences of not submitting plans means current projects/contracts could be cancelled and those without plans will be barred from bidding on upcoming contracts. 

If you missed the deadline, what should you do?

The worst thing  you can do is ignore the requirement, even if you missed the deadline.

Your plan of action should now be to become compliant in preparation for an inevitable audit.  But given the fact that time is not on your side, you don’t want to try and play “catch-up” on your own. SP 800-171 compliance is not trivial.

BSC Systems can help you with a streamlined gap analysis and management approach to speed the compliance process while making a minimal impact on your business operations.  We will conduct a thorough review of your existing security program as well as your environment to determine which 800-171 controls apply to your contract operations.

Once the gaps are understood, we will help you fill those gaps using our proven documentation templates that meet or exceed all of the 800-171 requirements.  All requirements will be thoroughly supported by objective evidence so that you will withstand the coming audit.  At the same time, for those requirements that are not applicable, documentation will be provided to show they are not needed to your particular operation.  And for those specific requirements that are cost prohibitive to your business, we are good at finding existing or achievable compensating controls.

If, for some reason, this preparation still doesn’t fully satisfy the intent of 800-171, BSC Systems will either help you prepare a “Plan of Action and Milestones” to meet the requirements or draft a risk acceptance justification.

If you have missed the December 31, 2017 deadline for submitting your safety plan, all is not lost if you act now.  Don’t wait to contact BSC Systems to meet your SP 800-171 assessment needs.