CYBER CORNER: NIST SP 800-171 COMPLIANCE
HOW A SYSTEM SECURITY PLAN AND PLANS OF ACTION SUPPORT DEMONSTRATING NIST SP 800-171 COMPLIANCE
Sep. 20, 2017 -- The latest version of NIST SP 800-171 (R1) includes two controls that can be very helpful for your year-end push to achieve NIST compliance before Dec. 31, 2017.
- Control 3.12.4 requires development, documentation, and periodic updates of a System Security Plan (SSP)
- Control 3.12.2 calls for the development and implementation of Plans of Actions and Milestones (POAM) designed to correct deficiencies and reduce vulnerabilities in organizational systems
Lockheed Martin suppliers who have acknowledged receiving or managing Covered Defense Information (CDI) in performance of subcontracts supporting DoD are required to complete the Exostar NIST SP 800-171 Questionnaire. This set of questions assesses compliance to the IT control requirements outlined in the NIST SP 800-171 standard mandated by Cyber DFARS 252.204-7012.
For each control, response options now include:
- Implemented: Implemented per the NIST 800-171 R1 specification.
- Addressed with System Security Plan (SSP) & Plan Of Actions and Milestones (POAM): You have documented in a SSP & POAM how you will become compliant with the control.
- Approved Exception: You have been given approval by the DOD to: (1) treat this control as not applicable or (2) provide an equally effective alternate control.
- Not Implemented: The control has not been implemented, nor is there any plan to implement it as part of a SSP & POAM.
Upon completion, you will have immediate access to your assessment results. Below are available resources to assist you in completing this action.
- Exostar CSQ and NIST Questionnaire Guide
- Exostar NIST 800-171 Resource Center
- Supply Chain Cybersecurity Podcast and Briefing
For more information on the SSP, POAM, demonstrating NIST compliance and more, you are encouraged to review the U.S. Department of Defense Industry Day (Public Meeting on June 26, 2017) slides and video replay.