Are you well-versed regarding SSP and POAM, or wondering what it all means? If you or your clients are defense contractors or subcontractors with a federal government contract, then the System Security Plan (SSP) and Plan of Actions and Milestones (POAM) may be an old hat.

 If not, federal government contractors and subcontractors must demonstrate compliance with the increasingly-complex government mandates. For example, NIST SP 800-171 applies to all the 60,000 organizations in the US government supply chain in order to win and sustain contracts. NIST Special Publication (SP) 800-171 is the standard known as “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

As threat actors continue to enhance their hacking skills and ability to evade detection; government and commercial organizations alike must also evolve and improve their cybersecurity defenses. The US federal government has begun auditing contractors to ensure readiness in protecting critical systems and assets.

Recap of NIST 800-171

NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI (Controlled Unclassified Information), or provide security protection for such components. NIST 800-171 includes guidelines that all contractors and subcontractors should follow, including these 14 broader sections or “families”:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communication Protection
  14. System and Information Integrity


As always, technology can contribute to compliance, but must incorporate people and processes to ensure successful implementation and to prevent software from becoming “shelfware.” Compliance is also not a set-and-forget effort as continuous monitoring and security enhancements are needed as threat actors evolve and morph their techniques.

Updates to NIST 800-171 for Advanced Persistent Threats

An update to NIST SP 800-171 is in development to document ways to protect critical government programs and high-value assets. NIST plans to issue the update by the end of 2019 to provide additional tools to protect against advanced persistent threats (APTs). According to NIST, an APT is:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future.  

According to NIST’s Ron Ross who authored the draft SP 800-171B updates, “We need to provide safeguards and countermeasures that can stand up to these attacks, which we hope will help organizations protect CUI against our most advanced and persistent adversaries.” Note that only a small percentage of government contractors will be required to implement the new requirements. However, Ross at NIST points out that most organization from small businesses to Fortune 500 companies have high-value assets; implementing the new 800-171B enhancements improves defenses for government and commercial organizations alike.

Implications for DoD Contractors like MSSPs

Contractors and subcontractors to the Department of Defense (DoD) must make cybersecurity a priority now that the government is factoring compliance into contract awards. CUI must be kept safe and protected. Even more critical, the DoD has begun auditing contractors and larger supply chain partners for demonstration of compliance. Contractors who merely purchased a security tool or system but did not fully implement it or cannot sufficiently document security processes, will find themselves at risk. Non-compliance could result in a stop-work order, impacting revenue, brand reputation, and customer satisfaction.

The DoD also has the authority to terminate contracts and even bar the contractor from working on future projects if the non-compliance is severe enough. Help your clients avoid these harsh penalties for non-compliance by ensuring that they are ready for an audit by meeting all 800-171 compliance requirements. Continuous monitoring and ongoing vigilance are necessary to maintain NIST 800-171 compliance.

Accelerate Your NIST 800-171 Compliance

The US federal government is increasing its emphasis on prevention and early detection of cybersecurity threats. The security objective is to minimize the consequences of a potential data breach. All organizations doing business with the federal government should expect these requirements to continue to evolve and intensify.

If you are an existing government contractor or have clients that are, failure to meet these requirements could result in loss of contract under extreme circumstances. If you are not a current government contractor or subcontractor or working with one, educate yourself on the regulations as you assess your capabilities and readiness to participate as part of the non-federal systems supply chain. Continuum Fortify for Network Security, with its pre-built reports that simplify the compliance and audit process, is an optimal path to ensure data security, continuous compliance, and SOC-as-a-Service (SOCaaS) monitoring from a partner who possesses strong federal government expertise.

Want more tips on how to best defend against today's cyber threats? Register for our upcoming webinar, How MSPs Leverage Continuum Fortify to Defend Against Today's Threats, on 7/30!