Industryweek 35497 Nst Industryweek 1540x800 070819 0
Industryweek 35497 Nst Industryweek 1540x800 070819 0
Industryweek 35497 Nst Industryweek 1540x800 070819 0
Industryweek 35497 Nst Industryweek 1540x800 070819 0
Industryweek 35497 Nst Industryweek 1540x800 070819 0

What Is the NIST SP 800-171 Cybersecurity Framework?

July 22, 2019
Manufacturers involved in supply chains tied to government contracts can anticipate awards bringing in additional revenue.

Manufacturers involved in supply chains tied to government contracts can anticipate those awards bringing in additional revenue at levels that might not be possible otherwise. However, being successful in getting and keeping such work means complying with the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS).

FAR is a set of regulations that governs all acquisitions and contracting procedures associated with the U.S. government. DFARS accompanies FAR as an addition. The Department of Defense (DoD) is the administrative body behind DFARS, but the reach of DFARS requirements extends to more than that organization.

NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI).  Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.

How Do You Implement NIST SP 800-171?

It's understandable for manufacturers to wonder what they should do to implement NIST SP 800-171 and ultimately get in compliance with DFARS, and whether there are specialized resources available to help them achieve that milestone without preventable pitfalls. The first thing they should keep in mind is that being DFARS compliant likely involves working with a cybersecurity consultant that knows the NIST SP 800-171 requirements inside and out.

It's advisable for small manufacturers to look to their state’s Manufacturing Extension Partnership (MEP) Center. Part of the MEP National Network™, a larger organization that connects them to NIST, the representatives at your local MEP Center will have a working knowledge of NIST SP 800-171 and can help companies prepare for DFARS compliance. It can be a short or long process, depending upon the complexities of a company’s operating environment and information systems, but implementing NIST SP 800-171 is a necessary process for a company to protect its information.

What Does a Successful Plan Entail?

Manufacturers that want to retain their DoD, GSA, NASA and other federal and state agency contracts need to have a plan that meets the requirements of NIST SP 800-171. DFARS cybersecurity clause 252,204-7012 went into effect on Dec. 31, 2017, and deals with processing, storing or transmitting CUI that exists on non-federal systems — such as those used by a government contractor.

One of the first steps manufacturers should take is to identify where gaps exist that prevent them from being compliant with DFARS. From that point, they can determine how to proceed. A good place to start is the MEP National Network Cybersecurity Assessment Tool, a quick online self assessment you can use to evaluate the cyber health of your company.

How Should Manufacturers Start Working Toward Compliance?

The MEP National Network offers dedicated resources for manufacturers that need information about a company’s security posture that can help companies understand what getting compliant with DFARS actually means to them. Companies can see whether DFARS compliance applies to them and view infographics that recommend steps to take to make their factory floors more secure.

The MEP National Network also provides a particular resource that manufacturers will undoubtedly refer to again and again: the NIST Self-Assessment Handbook (NIST Handbook 162). It spans more than 150 pages and helps readers assess their facilities to conclude how close they are to implementing NIST SP 800-171 to help them understand how close they are to being DFARS compliant, and also determine where to focus when making improvements to maximize the impact of each dollar spent on cybersecurity.

For example, the document features content that advises how to go about carrying out assessment tests and which applicable employees to talk to regarding security controls. Manufacturers that read through the handbook will note that each assessment question has an "alternative approach" option. It refers to the fact that manufacturers may find some specifics of the NIST SP 800-171 cybersecurity framework that don't apply to them.

In that case, it's acceptable to use a different but equally effective method of maintaining security — as long as the respective manufacturers notify the correct government authorities about the changes and get approval for them.

Manufacturing plant representatives can also increase their understanding of compliance requirements by watching a webinar that goes through some of the crucial elements of the handbook.

Complexity Shouldn’t Be a Barrier

Manufacturers may initially view the cybersecurity requirements for government contracts as too complicated, especially if they have small operations.

However, using the available resources — including local MEP Centers — can allow manufacturers to realize it's possible to get in compliance with DFARS, as well as stay in compliance, by implementing NIST SP 800-171 and to open possibilities for receiving financially rewarding and reputation-boosting government contracts.

A local MEP Center is an ideal resource for manufacturers to use as they start to complete a plan that details how to implement the NIST SP 800-171 cybersecurity requirements.

Each MEP Center has access to public and private sector resources that can help companies get into compliance with more confidence. Locations exist in all 50 states and Puerto Rico.

Traci Spencer

Traci Spencer is the Grant Program Manager for TechSolve, Inc., the southwest regional partner of the Ohio MEP. A member of the MEP National Network Cybersecurity Working Group, she recently completed the management of a two-year program that raised awareness and assisted small and medium-sized companies with the integration of Industry 4.0 technologies including cybersecurity, robotics and automation, additive manufacturing, big data/cloud computing, and modeling and simulation.

Popular Sponsored Recommendations

Optimizing Connected, Resilient Supply Chains in 2024

Dec. 19, 2023
Discover how manufacturers fortify supply chains amidst change, explore the 2024 manufacturing industry outlook and delve into Gen AI for resilient supply chains.

The Supply Chain of Tomorrow

May 22, 2023
A control tower enables proactively managing complex supply chains in real time and achieving new efficiencies through connected visibility, continual improvement, and predictive...

Decarbonizing Your Supply Chain: Striving for Net Zero

Feb. 12, 2024
Manufacturers face mounting pressure to decarbonize operations and supply chains. Meeting regulatory goals demands bold action and transparency. Collaboration with suppliers offers...

The Power of Industry 4.0 to Enhance Asset Management

Nov. 9, 2021
The MPI 2021 Industry 4.0 Study examines the extent to which manufacturers leverage Industry 4.0 across their organizations. It looks at how companies have applied digital technologies...

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!