Over the past three years, The National Center for Standard and Technology defined 800-171 security requirements. These requirements were designed to protect Controlled Unclassified Information in Nonfederal information systems, as well as organizations.

When the DFAR (Defense Federal Acquisition Regulations) came out, most believed this mandate would finally create protection between government contractors who run the federal agencies to ensure that certain types of federal information are protected in any environment. The Department of Defense created milestones that each and every federal system integrator or contract holder must meet to uphold these requirements.

What are the 800-171 requirements?

There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests that affected programs must meet.

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

The 800-171 requirements stem from NIST 800-53, which is a DFAR that controls unclassified information shared between the federal government with a non-federal entity.

Since 2015, we have watched and engaged with many system integrators, as well as manufacturers to ensure our federal government contractors meet all 800-171 DFAR mandates. The final date when all contractors had to meet DFARS 800-171 has passed, and most are not in compliance per the December 2017 deadline. Additions and controls are to be made in upcoming months, so if you are not compliant, you need to be.

Understanding What Is at Stake

There will be consequences for non-compliance, as not being able to conduct business with the federal government means large revenues lost and existing federal contracts being held at a standstill or withdrawn completely.

As Beverly Cornelius points out in a blog on The State (Read more...)