What are the first steps for NIST 800-171 POAM SPRS submission and what to expect
Following the interim rule passed down in the document DFARS Case 2019-D041 on September 29, 2020, there’s a growing number of subcontractors in the Department of Defense (DoD) supply base selling into the “Primes” who are receiving urgent requests from their customers to comply with this new requirement.
Regardless how long the DFARS 252.204-7012 has been a stated requirement for DoD contract awards, this new urgency is driving a lot of activity in the Defense Industrial Base (DiB). As such, you have likely heard from a range of vendors that have offered to help you reach that goal.
Let’s spend a few minutes to gain a better understanding of how smaller contractors and subcontractors get through the NIST 800-171 gap assessment requirements, build their action plan, design their system security plan, and ensure the results are submitted completely.
In my role at Kelser, I’m often responsible for those requirements passed down by our customers to effect change in our technology that aligns with their business processes or initiatives. As a mature technology consulting firm, we’ve been working with clients and suppliers on their ever-changing requirements for decades.
I can appreciate what you, your in-house IT manager, and outsourced IT support partner are looking at when it comes to the NIST requirements because I have been there myself.
When we developed our own cybersecurity programs years back, I engaged in the challenging discussion that questioned our security controls, practices, and processes.
So, in my engagements with potential customers searching for a clear understanding of how to meet their own requirements, I’m able to provide a straightforward and relevant picture of the process we follow, and how to address near-term and future goals.
Remember that NIST 800-171 is just the steppingstone to CMMC so you’ll want to be looking at both your current requirements (NIST 800-171) as well as potentially your next set of additional requirements (CMMC).
What Presidents and Owners need to know
If you’re the President/Owner/CEO of a small or mid-sized manufacturer selling into the much larger Prime contract holders, this is often a confusing time with many vendors offering their help in a wide array of engagement styles, costs, and solutions.
On top of that, your company is being pushed to validate that the requirements of NIST 800-171 and DFARS 7012 have been satisfied. This is becoming a criterion for entry into new or renewed contract awards flowing from the DoD.
The Prime Contractors like Lockheed Martin, Northrop Grumman, Raytheon, Boeing, General Dynamics, Huntington Ingalls, BAE, General Electric, and others are finding greater scrutiny from DoD purchasing departments related to the status of their cybersecurity throughout their entire supply chain.
Be assured, these requirements are not going away but rather will gradually increase over time depending on how much controlled unclassified information (CUI) is shared between the constituents of the contract award. If your cybersecurity status isn’t up to an adequate level, sooner than later you’ll begin seeing that impact your bottom line.
Perhaps the most important thing at this stage for you as an owner or high-level executive is that you’re taking this edict seriously and working towards compliance.
If you’re uncomfortable handling this in-house, then you’re searching for a partner to trust with this initiative and will get your company where it needs to be from a compliance standpoint over short and long term.
What IT managers need to know
If you’re an IT manager at a manufacturer that needs to become compliant, this means that time, resources, and budget need to be planned and made available to start working towards that compliance immediately.
Building up cybersecurity best practices and procedures takes time and rigor. IT managers need to be front and center in collaborating with other leaders in the company to ensure shifts in culture and polices are brought online.
Your key to success here will be to educate your user community of the risks and rewards inherent in these new norms.
While simply pushing a new policy around passwords can come across as dictatorial, educating your users on the requirement, where it comes from, and how it benefits them as well as your company overall is more accepted.
You’ll find that this softens the blow of the new cyber secure reality, improves buy-in, allows for greater internal collaboration, and gets everyone pulling in the same direction towards this new shared goal.
This may seem like a lot for your internal team to handle on your own with everything else you’re covering to keep the lights on at your company. It’s perfectly normal to bring in additional outside IT resources to help navigate NIST and CMMC concerns.
Often the best way to deliver a valuable analysis of the environment when comparing to control standards is to enlist the services of an outside partner with a fresh set of eyes and greater objectivity against which to evaluate the data being processed.
Leverage your network and ask for references. Read articles and get reviews on providers. There’s no need to go it alone or struggle through the process.
What if I already have an IT provider?
Even if you currently utilize an outside partner for IT support, it’s worthwhile to have a genuine discussion with them about whether they’re the right fit to see you through these compliance standards.
This isn’t an evaluation of their ability to assist your IT needs generally (if you’re happy with your provider that’s great) but you likely didn’t originally partner with them with these cybersecurity concerns in mind and a specialization in this field is crucial to ensure a smooth compliance initiative.
It’s not uncommon for companies to bring in an additional IT services specialist to assist with specific initiatives like NIST compliance while still employing their current IT provider for other needs (though some companies may also choose to consolidate at that point).
The overall goal of these relationships is to do what’s in the best interest of your company and address your needs. In this case, if you’re a manufacturer with DoD contracts, NIST 800-171 compliance (and likely CMMC) is that pressing need.
What to expect as you prepare for submission
While no two IT infrastructures are the same nor are any two company cultures or operational styles identical, the overall process to get through the NIST assessment is well structured and identified.
When it comes to working through the 110 controls and the follow-on questions needed to determine the scoring to be submitted, it comes down to a set of conversations with your organization’s leadership, primary IT person and outside support vendor if any.
Vendors performing these analyses are finding that distance becomes less relevant by utilizing tools like Zoom and other collaboration systems. Now you’re able to find expertise either regionally or nationally and traverse more easily through the steps needed to complete the gap discussion.
If you’re using an outside IT company for this engagement, that provider will walk through the control questions focused on the relevant person on your team – whether IT, culture, or process – and make sure each control is addressed accurately. Otherwise, you’ll want to identify an internal team lead to carry out this function.
This will be the foundation of your scoring, the POAM, and target date that’s expected with your submission to the Supplier Performance Risk System (SPRS). It also gives great perspective on what aspects of any gaps that your team will be able to handle versus where you may need outside assistance for remediation.
Following the analysis of all the control point questions you will need to produce (or if using an outside provider, they will present to you) a POAM or Plan of Action with Milestones. This is a living document that outlines what needs to be done to resolve any gaps, who will be the responsible party to execute the work, and the target completion date.
In its most basic form, it is also a required document for the submission into the SPRS. Think of it as you would a project plan with basic details of who, when, and what. This will be the guide for moving your organization’s cybersecurity score from where you are today to fully compliant.
How do I get started and what happens next?
It all starts with a conversation.
Talk through your goals and make sure everyone understands what each other’s expectations and responsibilities are in the process.
If using an outside provider, they will walk you through how they approach NIST 800-171 and what to expect in terms of timing and deliverables. They will coordinate the meetings with you, your IT person, the external IT support to successfully work through the entire set of controls and produce actionable plans for compliance.
If you’re not working with an outside provider, those responsibilities will fall to your internal team.
Along the way your internal team or your provider depending on your situation, will put together the system security plan and determine a target date for that full compliance. At that point you’re ready to submit through SPRS and fulfill the requirements being posted by your customers today.
In an average organization of 20 people or less, this process wraps up within weeks in my experience as an outside partner. However, it may take longer if you’re carrying this out in-house depending on factors like your available resources, in-house skillsets, hardware, software, and others.
After SPRS submission, the work of remediation begins and keeps the focus not only on NIST 800-171 compliance but ideally also for the “default” CMMC ML3 controls down the road. I’ve found that the best model for these engagements is flexible enough to treat this as a project or scalable long-term to fit whichever mode works best to meet your needs and budget.
Whether handling internally or externally – you need to start now
Regardless of how you choose to handle your compliance needs, don’t wait a minute longer to start addressing them.
The requirements will only become more stringent as time goes by and at some point, will likely pose a threat your new or repeating business. The cybersecurity requirements being passed down by the DoD are not going to recede and deadlines will continue to come.
If you feel the additional needs to become NIST and CMMC compliant are going to take more resources than you have to spare or if you want a fresh set of unbiased eyes to review your situation, Kelser has been supporting manufacturers in New England and across the nation for over 40 years.
We’ve helped manufacturers like you achieve their compliance requirements and business goals thanks to a deep bench of certified professionals that infuse years of field experience into your operations.
Regardless of your location, employee count, or what you produce, feel free to reach out to me with any questions. The only cost is a little time to explore your concerns and establish a next step forward.