The deadline for NIST 800-171 (R1) compliance is rapidly approaching (December 31st, 2017) and many people and organizations are still unsure of exactly what is required and who to ask. With so many involved parties, including the DoD, NIST, and prime contractors (Raytheon, Lockheed, Northrop, etc.), you may be getting conflicting answers. One way to look at it is by comparing it to our American legal system.
In many ways, prime Military / Aerospace contractors such as Raytheon and Lockheed Martin are like law enforcement officers. They are tasked with enforcing the laws, but do not make them nor are they in charge of interpreting the law. While a police officer may be able to tell you that you were breaking the law by driving 25 miles over the speed limit, they did not write the law, nor are they the final word in court as to the punishment for that crime.
In the same way, customers of yours, whether they be Raytheon, BAE, or any company asking for NIST 800-171 compliance may be able to assist in a general sense with compliance matters, they do not have the final word.
In the same sense, the authors of the NIST regulation can be compared to our lawmakers. They wrote the document and all controls in it and have many great things to say about its interpretation. However, like the prime contractors, they also do not have the final word.
The Court System
Completing the analogy, the Department of Defense (DoD) is like the court system, namely the judiciary, as they are tasked with the interpretation of NIST 800-171 and do have the final word. In fact, DFARS Clause 252.204-7008 (c) (2) (ii) states “An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST 800-171 requirements in writing prior to contract award. Any accepted variance from NIST 800-171 shall be incorporated into the resulting contract.”
How we can help
K2 Solutions maintains close contact and relationship with all parties involved and can help your company navigate these confusing waters. We are able to help clarify key positions, as well as put you in contact with the necessary people to validate compensating controls, approve SSPs, or to settle contract disputes with customers.
Find out more about how we aid your company in your bid for compliance.