On January 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment (A&S), published a memorandum that directed the Defense Contract Management Agency (DCMA) to include NIST 800-171 requirements as part of the scope for contractor reviews. This will change the contractor review process to embed cybersecurity reviews as part of the existing Contractor Purchasing System Review (CPSR) process. This is the start of official NIST 800-171 compliance reviews by the U.S. Government.
A CPSR is a review that is supposed to occur when a prime contractor’s annual sales to the U.S. Government are expected to exceed $50M in a 12 month period. A CPSR may be categorized as an Initial, Comprehensive, Follow-up, or Special review. While this review focused on the prime, the requirements will flow down to subcontractors.
In accordance with DFARS 252.244-7001(c)(1), (17), and (19), a contractor’s purchasing system is required to have an adequate description to include policies, procedures, and purchasing practices which comply with FAR and DFARS regulations, which now includes NIST 800-171 compliance requirements. This review will involve subcontractors, as primes are required to:
- Ensure that all applicable POs and subcontracts contain all flow down clauses, including terms and conditions and any other clauses needed to carry out the requirements of the prime contract;
- Establish and maintain policies and procedures to ensure POs and subcontracts contain mandatory and applicable flow down clauses, as required by the FAR and DFARS, including terms and conditions required by the prime contract and any clauses required to carry out the requirements of the prime contract, including the requirements of DFARS 252.246-7007, Contractor Counterfeit Electronic Part Detection and Avoidance 6 System, if applicable
A CPSR is conducted in accordance with the CPSR Guidebook, DCMA instruction 109, the Federal Acquisition Regulation (FAR) subpart 44.3, and the Defense Federal Acquisition Regulation Supplement (DFARS) subpart 244.3.
For primes and subcontractors, ComplianceForge does offer a cost-effective solution to NIST 800-171 compliance. There is a wide-variety of products to help address all NIST 800-171 compliance needs. You can see this selection of products at www.complianceforge.com and the products are listed below: