When evaluating your compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and related clauses, or Federal Acquisition Regulations (FAR) Ruling 52.204-21, it’s important to understand the differences between the various National Institute of Standards and Technology (NIST) publications (https://www.nist.gov/publications). We’ll try to simplify it as much as possible, but if you do business with the government, check your contracts carefully — it’s likely you will need to be able to prove compliance with these cyber standards.
First, NIST SP 800-53 has been around for a number of years. It’s currently on Revision 4. As the title implies (Security and Privacy Controls for Federal Information Systems and Organizations), this publication is intended as a comprehensive guide to securing FEDERAL information systems. If you are a defense contractor trying to comply with acquisition regulations, your internal systems are not federal information systems. Many contractors operate federal information systems on behalf of the government, so in that situation NIST 800-53 may apply. We’ve worked with commercial organizations who did not operate any federal systems but have had 800-53 compliance written into their contracts, so it’s important to read the clauses and understand your responsibilities. NIST SP 800-53 may also apply if you provide or would like to provide cloud services to the Federal Government. In this case, products are evaluated under the FedRAMP program (https://www.fedramp.gov/) using tailored 800-53 controls. NIST 800-53 is a 462-page document, so tailoring, evaluating and validating all the controls is onerous to say the least. Make sure that this is the best choice for your situation and that you know what various contracts require. Older versions of the DFARS clause required compliance with a subset of NIST 800-53 controls; this is no longer acceptable for complying with 252.204-7012.
NIST SP 800-171 was designed specifically for NON-FEDERAL information systems — those in use to support private enterprises. Revisions to the DFARS clause in August 2015 made this publication mandatory for defense contractors who have the DFARS 252.204-7012 clause in any contract. This document is a streamlined version of NIST 800-53. The NIST 800-171 document was recently updated to Revision 1 and includes some provisions that may take time to implement, including two-factor authentication, encryption, and monitoring.
Remember, December 31, 2017 is the deadline for compliance. Don’t wait to begin evaluating and documenting your compliance posture.