Member News

New Interim Rule Requires Defense Contractors to Submit Self-Audit of NIST 800-171 Compliance

Department of Defense

New Interim Rule Requires Defense Contractors to Submit Self-Audit of NIST 800-171 Compliance

Defense contractors will now be required to show proof of their compliance with the cybersecurity standards outlined in the National Institute of Standards and Technology Special Publication 800-171 as part of an interim rule approved by the Office of Information and Regulatory Affairs at the Office of Management and Budget.

Speaking with FCW, a spokesman for the Department of Defense affirmed that the new rule is slated to come out by the end of the calendar year with a delayed effective date.  

While the text of the interim rule is yet to be published, its abstract states that contractors must submit self-assessments regarding their implementation of NIST SP 800-171 system security requirements on information systems that process controlled unclassified information, FCW reported.

Contractors are expected to begin compliance with the interim rule immediately as their comments on the move will be considered in the development of the final rule.  

As explained in the emergency justification of the interim rule, the rule needs to be carried out immediately in advance of a comment period since “defense contractors have not fully or consistently implemented the NIST SP 800-171 security requirements on their covered information systems."

In an interview with FCW, CyberSheath Chief Executive Officer Eric Noonan described the new regulation as a move to call industry’s bluff on cybersecurity.

According to Noonan, a member of the Potomac Officers Club, the DoD’s reliance on self-attestation, which was rarely supplemented by audits, has led to a severely non-compliant supply chain with material weaknesses in some of the most basic aspects of cybersecurity.

On her end, 2020 Wash100 winner Katie Arrington, the chief information security officer for DoD acquisition, wrote in a LinkedIn post that "any statements about the 'interim rule' content are premature." Arrington reasoned that the current self-attestation method is bound to be replaced with DoD audits and will later transition to the CMMC.  

Category: Member News

Tags: cybersecurity Cybersecurity Maturity Model Certification CyberSheath Department of Defense Eric Noonan FCW Member News National Institute of Standards and Technology Special Publication Office of Information and Regulatory Affairs Office of Management and Budget