Securing DoD Contracts: A Case Study in NIST SP 800-171 Compliance

A U.S. Federal Contractor sought to secure a lucrative DoD contract to upgrade the Surveillance and Targeting systems on a fleet of older-generation UAVs. However, the contract conditions required the Federal Contractor to have implemented proper safeguards to protect the technical data, such as project specifications provided by the DoD and any other sensitive information it generated during the execution of the contract. If this information were to fall into the wrong hands, it could have severe implications, including compromising the Air Force's competitive edge and reducing the warfighter's lethality. Understanding the importance of fortifying its cybersecurity posture to effectively handle the CUI and demonstrate compliance with NIST SP 800-171, the Contractor sought assistance from Cleared Systems. This strategic partnership with us was an avenue for the Federal Contractor to achieve NIST SP 800-171 compliance and exemplify their unwavering commitment to the highest security standards.

Objectives

• To comprehensively assess the Federal Contractor's current environment against all 110 NIST SP 800-171 security requirements. This would allow us to identify gaps where implemented security controls do not fully meet the standards and requirements outlined in this publication.
• To develop a prioritized roadmap for gap remediation that maps out plans to address all identified control deficiencies in the Federal Contractors environment, equipment, systems, and processes, thereby strengthening the Contractor's security framework.
• To deploy new technical security solutions on the Federal Contractor's assets that process, transmit, or store CUI to satisfy requirements related to access control, multi-factor authentication, encryption, activity monitoring, vulnerability management, and other domains critical for securing CUI data.
• To support the federal Contractor in establishing new formally documented policies, procedures, and processes to fulfill NIST SP 800-171 requirements focused on security planning, auditing, incident response, personnel screening, and other areas key to the contracting work.
• To assist the federal Contractor in creating a System Security Plan containing an inventory of all applicable security controls and current implementation status against NIST 800-171 benchmarks.
• To help the federal Contractor create a thorough Plan of Action and Milestones (POA&M) that details plans to remediate all control deficiencies with projected budgets, timelines, and owners.
• To validate full compliance with NIST SP 800-171 security requirements to support the Federal Contractor in securing the lucrative DoD contract to upgrade the surveillance and targeting systems.

Challenges

• It was Challenging to Implement some controls: Certain NIST 800-171 control requirements like encrypting data-at-rest and during transmission, enforcing multi-factor authentication, or enabling comprehensive audit logging proved difficult for the federal Contractor to implement fully due to technology limitations.
• Interoperability issues: The federal Contractor struggled to ensure that the security tools and systems used across its various heterogeneous IT environments could seamlessly interoperate and work together to protect the sensitive CUI data.
• Failure to properly Understand the covered information systems: The federal Contractor initially struggled to identify and map out all information systems that process, store, or transmit CUI data covered under NIST 800-171. Not having complete visibility made it hard to apply controls.
• Incident response preparedness: Developing, regularly testing, and maintaining an effective NIST 800-171 tailored incident response plan was essential but proved challenging for the Federal Contractor.
• Hardships segregating covered DOD information systems from commercial systems: The federal Contractor found it challenging to maintain separate security policies, controls, and processes for the systems handling CUI versus ordinary commercial data. Strict segregation is required by NIST 800-171 but challenging to execute.
• Incorrectly marking CUI: The federal Contractor found it challenging to accurately identify, categorize, and manage CUI data to apply appropriate safeguards due to the complexity of the task. This led to incorrect marking of CUI, making it hard to adequately meet all the controls of NIST SP 800-171.
• Ambiguities in some NIST SP 800-171 security controls: The federal Contractor faced difficulties interpreting some of the control requirements in NIST 800-171, which contain ambiguities. The lack of clarity created confusion around exactly how to implement specific controls.

Solutions

Customized Technology Integration

Cleared Systems conducted an in-depth assessment of the Contractor's existing technology landscape and recommended and implemented custom solutions addressing the limitations hindering control implementation. For instance, we enhanced the existing infrastructure to support data-at-rest encryption and multi-factor authentication, tailored to the federal Contractor's unique technological environment.

Control Interpretation Guidance

We offered clarity and guidance in interpreting ambiguous NIST 800-171 control requirements. Our experts provided detailed explanations, best practices, and practical implementation strategies for controls that were challenging to understand.

Information System Inventory and Mapping

Cleared Systems helped the federal Contractor by conducting a comprehensive inventory of all information systems involved in processing, storing, or transmitting CUI data. This involved mapping out the interconnections between systems, providing the Contractor with a clear understanding of which systems were covered under NIST 800-171, and guiding them in applying the necessary controls.

NIST SP 800-171 Training

Cleared Systems organized tailored training programs and workshops for the federal Contractor's staff to build in-house expertise. We committed to providing ongoing support and guidance on NIST SP 800-171 requirements and cybersecurity best practices to ensure long-term compliance.

Tailored Incident Response Plan Development

Collaborating with the Contractor, we designed, developed, and tested a tailored incident response plan aligned with NIST 800-171 requirements. Our team also conducted scenario-based training and exercises to ensure that the Contractor's team was well-prepared to handle potential incidents effectively. This proactive approach enhanced the Contractor's incident response preparedness.

Segregation Strategy

Our team offered guidance in creating a clear segregation strategy for covered DOD Information Systems to establish independent CUI enclaves. We helped the Federal Contractor establish distinct security policies, controls, and processes for systems handling CUI data versus ordinary commercial data, ensuring compliance with NIST 800-171 requirements.

Results

Better Position to Achieve CMMC Compliance: The improved security posture, compliance with NIST SP 800-171, and expertise gained through Cleared Systems' assistance put the Federal Contractor in a better position to achieve CMMC 2.0 compliance. This certification is a prerequisite for DoD contracts and largely depends on implementing NIST SP 800-171, and the Federal Contractor is now well-prepared to pursue it.  Enhanced Security Posture: The Federal Contractor achieved a significantly improved security posture. By addressing technology limitations, establishing proper control measures, and implementing incident response plans, they enhanced their ability to protect sensitive CUI data, reducing the risk of data breaches and unauthorized access.  In-House Expertise: By providing training and ongoing support, we helped the Federal Contractor build in-house expertise on NIST SP 800-171 requirements and cybersecurity best practices. This knowledge empowered the Contractor to maintain compliance and security measures independently in the long run, reducing dependence on external expertise.  Efficient Data Management: Implementing automated CUI data classification and management systems streamlined the identification and safeguarding of sensitive data. This reduced errors in data marking and made it easier for the Contractor to meet NIST SP 800-171 controls effectively.  Compliance with NIST SP 800-171: Through Cleared Systems' support, the Federal Contractor achieved compliance with NIST SP 800-171 requirements. This compliance protected the integrity and confidentiality of sensitive data and positioned them favorably for securing DoD contracts.