Frequently, we are asked the question about if there is some form of NIST certification. Businesses of all sizes go through a formal C&A (Certification and Accreditation) process for an array of reasons – DSS, ISO, SOC, etc., to name just a few. As is relates to Cyber Security, Certification and Accreditation is essentially a two part process that helps to ensure the security of information systems by measuring and then minimizing risk. Certification is the process of examining, evaluating, and testing security controls that have been pre-determined based on the type of information system. Accreditation is the process of formally accepting the residual risks in the system. It’s simply not possible to remove all risk.
There is a lot of confusion around the C&A process for DFARS 225.204-7012 / NIST 800-171 – rightfully so, because there IS NOT a formal NIST certification (yet). The basic objective of 800-171 is to protect the entire supply chain of the DoD, NASA, and the DoT (Department of Transportation). Because this literally includes tens of thousands of companies ranging from one person shops to massive defense contractors, the framers of the standard knew that it would be nearly impossible to enforce.
What that means, is that companies who fall under NIST 800-171 are expected to comply willfully, develop and maintain the required documentation, and be entirely truthful in doing so. In other words, “self-certify” your company. Verbiage addressing NIST 800-171 compliance is already starting to appear on RFP’s, RFQ’s, and contracts – meaning that your options are to actually comply willfully, or commit fraud.
BUT – here is the rub. Most of the companies who need to be NIST 800-171 compliant are sub-contractors, meaning that they contract with other companies and not directly with the federal government itself. Having full knowledge of this, the federal government has tasked the big, multi-billion dollar prime contractors with securing their own supply chain, and ensuring that all of their subs comply with the standard.
So, is the government going to come knocking on your door if you don’t comply? No – but the prime contractors will simply remove your company from their list of approved vendors, which is actually much worse than anything the government might do.
If your company is not yet NIST compliant and you need help, Stronghold Cyber Security can assist from security baselining to full scope documentation. Uniquely tailored, full scope NIST compliance packages are available. Contact us at 1-800-378-1187 to set up a consultation or reach out to us at on our Contact Page so that we can get started working together.