NIST Compliance for Small Business Government Contractors

Overview

Under the interim rule issued in December 2015 (DFARS § 252.204-7012), DoD contractors (including small businesses) must provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure.

What is considered adequate security?

The set of minimum cybersecurity standards are described in NIST Special Publication 800-171 and break down into fourteen areas. In each of these areas, there are specific security requirements that DoD contractors must implement.

What is required of you?

Full compliance is required not later than December 31, 2017. The contractor must notify the DoD CIO within 30 days of contract award, of any security requirements not implemented at the time of contract award.  If a contractor anticipates using cloud computing, they must ensure the cloud service meets FedRAMP “moderate” security requirements and complies with incident reporting, media, and malware submission requirements.

Although these requirements may initially seem overwhelming, incurred costs may also be recoverable under a cost reimbursement contract pursuant to FAR 31.201-2.

How can Ariento help?

Ariento can help in one of two ways:

  1. Consulting - We conduct a 2- 4 week assessment evaluation of your business according to the NIST framework. You get a report card identifying each required NIST control with a determination of compliance for each control. In areas of non-compliance, we provide actionable recommendations for remediation that can easily be turned into a POA&M. We can also help implement recommendations.
  2. Managed Services - We become your NIST compliant outsourced IT shop, making you compliant now and in the future as regulations change. We also conduct an annual assessment evaluation of your business according to the NIST framework, giving you a record of compliance year over year.