DFARS 7012 & NIST 800-171 Compliance Services

G2 Ops provides cybersecurity compliance expertise and consulting services to help government contractors assess their information systems and cybersecurity programs against the requirements specified in DFARS 252.204-7012 and NIST SP 800-171.

DFARS 7012 & NIST 800-171 Compliance Services

G2 Ops provides cybersecurity compliance expertise and consulting services to help government contractors assess their information systems and cybersecurity programs against the requirements specified in DFARS 252.204-7012 and NIST SP 800-171.

Since 2017, Defense Industrial Base (“DIB”) contractors possessing or working with Covered Defense Information (“CDI”) have been required to comply with the DFARS 252.204-7012 (“DFARS 7012”) provision and contract clause for “Safeguarding Covered Defense Information and Cyber Incident Reporting” (https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS-252.204-7012). This provision requires four things from defense contractors:

1. Cybersecurity Gap Analysis

  • Perform a NIST SP 800-171 Revision 2 (Rev 2) cybersecurity gap analysis to evaluate deficiencies and gaps in your company’s cybersecurity hygiene and organizational security posture.

2. System Security Plan (“SSP”)

  • Develop and maintain a SSP to document your company’s cybersecurity practices, system requirements, and CUI boundaries.

3. Plan of Action and Milestones (“POA&M” or “POAM”)

  • Develop and maintain a POA&M to document identified deficiencies and plans for remediation.

4. Incident Response Plan

  • Document your company’s cyber incident response capability and mitigation strategies.

Prior to November 30, 2020, DIB contractors were required to self-attest that they were compliant with DFARS 7012 requirements. Effective December 1, 2020, DIB contractors are now required to perform a DoD Assessment using the NIST SP 800-171A assessment tool to measure their organizational cybersecurity program. They must additionally report their assessment score to the DoD’s Supplier Performance Risk System (“SPRS”), which is used by DoD’s Acquisition & Sustainment Office to evaluate your company’s ability to protect contract-related CUI.

NIST SP 800-171 Cybersecurity Gap Analysis

The National Institute of Standards and Technology (“NIST”) developed the NIST Special Publication (SP) 800-171 as a framework to measure cybersecurity hygiene and resiliency in nonfederal systems and organizations. The objective of this framework is to provide recommendations for protecting the confidentiality of Controlled Unclassified Information (“CUI”) where it is processed, stored, and transmitted within an organization so as to decrease the risk of a data breach.

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

NIST SP 800-171 (Rev 2) – “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” Summary

  • Derivative of the NIST SP 800-53 used to allocate security controls for Federal Government systems
  • 14 Security Control Families
  • 110 Security Controls

As required by the DFARS 7012, NIST SP 800-171 compliance is captured within a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M/POAM).

To inquire about G2 Ops’ DFARS 7012 / NIST 800-171 Services, call us at 757.965.8330 or contact us today.