Frequently Asked Questions

Question Topics

  1. Importance of Cybersecurity
  2. Deadline for Implementing NIST
  3. Access Control
  4. Awareness and Training
  5. Incident Response
  6. Resources


Importance of Cybersecurity


Q 1.1: Why is cybersecurity important?

A: Today more than ever, the DoD relies upon suppliers and external contractors to carry out their missions, and they’re going to share sensitive information with you to help you carry out those missions.  And if you are not properly safe guarding that data, you’ve got the old World War Two idiom, “loose lips sink ships” meaning beware of unguarded talk which today translates to “loose bits sink ships”.


Deadline for implementing NIST SP 800-171


Q 2.1: I’ve been able to avoid dealing with NIST SP 800-171 thus far and I see no urgency, why do I need to do it now?

A: The urgency depends on whether you want a new defense contract that contains covered defense information.  For suppliers seeking new contracts after January 1, 2018, the NIST SP 800-171 are required and you will be asked by the contracting entity to certify that you meet the requirements or detail which controls you meet and which ones you don’t yet.

There are 110 controls in NIST SP 800-171 which many find daunting.  However, the fifteen FAR controls have been required since May 16, 2016 and those controls translate to 17 of the 110 in NIST SP 800-171.  Therefore those controls should already be in place.

For the balance of the 93 controls, all must be addressed either by compliance or by preparing a Plan of Action and Milestones (POAM) that defines by when you will implement each one and be in compliance.  Within 30 days of contract award each supplier must disclose which of the controls they are in compliance with and which are covered by their POAM.

It is then up to the contracting officer to decide whether they have mitigations they can put in place to address the fact that you’re not meeting some of these, or to determine the risk you represent is acceptable or to reassess whether they’re going to grant that contract.  There is an ability to submit “alternative yet equally effective,” controls or to state that specific controls are not applicable to the particular contract that you’ve got in place.  However, to do so, you need to understand each of the controls so you can respond.

Note – the 17 controls covered by FAR may not be addressed by the POAM, they must be in place.

Q 2.2: If you are a sub to a prime, is it the prime’s responsibility to comply with the controls and ensure their subs are in compliance or is it up to each individual company regardless if they are prime or sub?

A:  Each individual company is responsible separately for compliance with  NIST SP 800-171  within their own organization.

A prime or a sub overseeing another sub has a responsibility to flow down the requirements meaning they are responsible for identification of any covered defense information in the subcontract being offered and to request proof of compliance of NIST SP 800-171 before entering into a subcontract.

Your subs need to report back to you that they have met the 110 controls of NIST SP 800-171 or have a POAM for those not yet implemented, just like you did for the prime.

Top of page


Access Control

Q 3.1: Are these controls applicable to personal devices that may be used to access internal systems?

A: Yes.  Every device that grants access to CUI or CDI must be in compliance with NIST 800-171 requirements.  These controls apply to all platforms that could potentially access CUI or CDI.

Q 3.2: Does a VPN totally protect from viruses, threats, etc.? If not, what should companies that use VPN to connect to their government client sites be aware of?

A: No.  These same systems are probably being used to connect to other systems as well.  A virus in one part of the system will affect other parts of the system, even through a VPN.

Top of page


Awareness and Training

Q 4.1: Is there a recommended period of how often someone should change their password?

A: The typical recommendations are 30 days, 90 days, or 120 days depending on your organizational policies and your particular data.  Really, it should depend on how often your password has to be used.  If you use your password once a year, it doesn’t make sense to change it after each use.  If you use your password 4 times a day, you may want to change it after 30 days.

Top of page


Incident Response

Q 5.1:  Are there strategies for a ticket system, or ways to get incident response done efficiently and effectively?

A: A large part of what you can do is in the preparation phase.  Make sure you’ve got the appropriate audit mechanisms in place so that you can understand the scope of the incident.  If you can appropriately and very quickly narrow down the scope, that will be very effective in reducing the amount of work that you need to do in the response phase.  Additionally, maintain a good baseline system.

Top of page



Q 6.1: Please recommend a useful resource for implementing an employee training program on cybersecurity.

A: You can find great materials through SANS.

Top of page