National Institute of Standards & Technology

Time is running out to meet the NIST 800-53 or 800-171 cybersecurity mandate. CSSC helps organizations define and determine which applies to their DoD contracting or subcontracting operation. 

Contractors and supply chain businesses have been tasked with meeting heightened cybersecurity mandates by the U.S. Department of Defense. Deadlines for compliance are fast approaching, and those operations that fail to gain the required cybersecurity can expect to be left out of profitable government contracts. Despite the urgency surrounding compliance, considerable confusion exists regarding two specific standards, NIST 800-53 and 800-171. 

If you are a decision-maker at a DoD contractor or supply chain company, time is of the essence to know which standard you are expected to meet in the coming months. CSSC will help you review current agreements and the compliance necessary to bid on future work. The following effort to simplify the differences between NIST compliance for 800-53 and 800-171 will provide valuable insight. 

Knowing The Difference Is Crucial to DoD Contractors 

The National Institute of Standards and Technology (NIST) SP 800-53 is not a new security standard. The federal government now operates under Security and Privacy Controls for Federal Information Systems and Organizations publication Revision 5. The publication ranks among the most comprehensive cybersecurity guides regulating data housed on servers in the DoD supply chain. If you are an outfit that directly connects to federal servers, networks, or other systems, the 800-53 standard will likely apply to your business.

Given the vast amount of work the federal government conducts with private corporations, it’s not uncommon for NIST SP 800-53 compliance to be included in your contract. Subcontractors must also comply with the primary contract and should see the cybersecurity mandate listed as well. Unfortunately, the complexity of some agreements and legal information used in various clauses has resulted in missteps, and too many operations are not compliant. That all ends in the coming months.

If you plan to work directly with a federal information system, the controls organizations are expected to get certification for are listed in the 800-53 document, which is 462 pages long. Meeting the requirements in your respective contract or those you wish to bid on requires enhanced cyber hygiene and certified proof. To say this could be a demanding effort would be an understatement. Securing a prompt cybersecurity assessment is advisable if you want to work with a federal network. 

The significant difference between NIST 800-53 and 800-171 is that the latter relates to non-federal networks. But, if you run a support or “supply chain” operation, the Defense Federal Acquisition Regulation Supplement (DFARS) made specific cybersecurity protocols a requirement as far back as 2015. That may be a surprise in the current climate because they were often only loosely enforced. In the future, controlled unclassified information (CUI) will be under strict scrutiny, and private businesses that house such data will either gain certification or be left out of the DoD loop. Understanding that you do not need to be linked to a federal system to fall under the 800-171 mandate is crucial. 

The first step in gaining compliance is to have a CSSC expert read the clauses in your DoD contract and identify which designation you must meet. CSSC will act as your independent cybersecurity consultant and thoroughly review your systems and cybersecurity health. That evaluation will show you where your systems and protocols measure up and where they do not. It’s crucial to move quickly if you are uncertain because the federal government expects a third-party audit to be performed to get an impartial certification. Your organization will need proof positive to continue working with the federal government or bid on future contracts.