How does Unanet help support your NIST SP 800-171 Compliance Goals?
The Unanet team assures our Cloud customers that our Cloud environment will provide the basis for your compliance with the NIST requirements.
Government contractors who store Controlled Unclassified Information (CUI) in non-Federal systems were required by DFARS 252.204-7008 to comply with NIST SP 800-171 by December 31, 2017. Data in a government contractor’s project management and accounting system is considered CUI and the accounting system will be subject to the cyber security requirements of NIST SP 800-171.
Unanet successfully undergoes annual SOC 2 Plus audits. Our cloud managed services provider is mapping the requirements not only for NIST SP 800-171 but also for NIST SP 800-53 compliance in the case of Controlled Defense Information (CDI) stored in cloud systems.
This page discusses a number of the NIST requirements which relate to:
Cybersecurity Maturity Model Certification (CMMC)
In June 2019, the DoD announced the Cybersecurity Maturity Model Certification (CMMC) which builds on, and formalizes, the requirements of NIST 800-171. The implications of CMMC are significant:
- All DoD Contractors will need to become CMMC certified by passing an independent CMMC audit to verify they have met the appropriate level of cybersecurity for their business.
- The Federal Government will determine the appropriate tier for the contracts they administer, and not all contracts will require the highest levels of security.
- The required CMMC level will be contained in sections L & M of Request for Proposals making cybersecurity an “allowable cost” in DoD contracts.
- Audits will be performed by an independent CMMC Third-Party Assessment Organization (C3PAO) that has been accredited by the CMMC Accreditation Body.
The following important milestones have been identified:
- Contractors should determine now where they stand regarding NIST 800-171 controls and the CMMC level they want to achieve in order to be certified by the 2nd quarter of 2020.
- In November 2019, the DoD will release additional drafts of the CMMC levels and their associated NIST 800-171 controls. The DoD will also announce the non-profit that will be in charge of the certification process and will start training independent Certified Third Party Assessment Organizations to conduct audits on DoD contractor information systems.
- In January 2020, the official CMMC levels and requirements will be released and the certifiers will be available soon thereafter to begin audits. There is likely to be a big backlog since there are approximately 70,000 companies requiring audits in a short time-frame and a very limited supply of certifiers/auditors.
- In June 2020, the CMMC requirements will be in Requests for Information.
- In late 2020, DoD contractors will need to be certified to bid on Requests for Proposal.
Getting prepared for this requirement is important for your company. You may consider hiring a consulting service to assist you on this journey. It is critical for the overall success of keeping and winning new government contracts.
To deliver robust support for individual customer’s requirements for multi-factor authenticated access both to Unanet and other information systems which contain CUI, Unanet integrates with leading providers of Identity and Access Management (IAM) tools such as OneLogin, Duo and Okta, and other providers via SAML.
Identification & Authentication Controls
IAM vendors, such as those identified above, include robust capabilities related to login management, password complexity and password reuse that satisfy the relevant NIST Controls.
Prompt Cyber Incident Reporting
Customers using Unanet’s Cloud offering will be notified of any unauthorized intrusion.
The requirements for data encryption are met through the following:
- Use of SSL.
- Availability of the Unanet Cloud platform in a FedRAMP Moderate environment that uses data encryption at rest. Contact your Customer Success Manager for more information.
U. S. Based Hosting
Unanet software is hosted in AWS US East-West which has been granted a Joint Authorization Board Provisional Authority-To-Operate (JAB P-ATO) and multiple Agency Authorizations (A-ATO) for FedRAMP moderate impact level.
U.S. Based Development and Support
All Unanet software is developed, hosted, and supported in the United States, and exclusively by U.S. citizens.
This is in contrast to other industry ERP software developed and supported in countries known to conduct state-sponsored hacking of US organizations.
More guidance on the NIST SP 800-171 requirements is available here, including NIST 800-171A on Assessing Security Requirements for Controlled Unclassified Information , and a CUI SSP Template: