Operating in compliance with national and international information security and engineering standards.
NetApp holds itself accountable to rigorous physical, logical, process, and management controls throughout its business. For systems processing controlled unclassified information, this is demonstrated through our attestation to compliance with NIST SP 800-171 requirements, which forms the basis of our contractual commitments under the Defense Federal Acquisition Regulation Supplement (DFARS).
The U.S. National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, establishes standards and guidelines designed to promote industrial competitiveness. This includes the NIST SP 800-171, “Protecting Controlled Unclassified Information In Nonfederal Information Systems and Organizations.” It was created in response to Executive Order 13556 on safeguarding information designated by the government as controlled unclassified information (CUI). The controls set forth in NIST SP 800-171 have since been incorporated into acquisition regulations and are therefore often a direct or indirect requirement for any nonfederal entity that stores, processes, or transmits CUI for the U.S. government.
NetApp maintains information systems that store CUI and is committed to appropriate treatment of CUI by complying with the control requirements of the NIST SP 800-171 on those systems. Since December 2017, NetApp has routinely audited and reviewed the status of its compliance with this regulation. NetApp attests to its compliance with NIST SP 800-171 requirements, and based on that, makes contractual commitments to customers who must meet DFARS requirements. As new technologies and threat vectors are introduced, NetApp proactively monitors their impact and implements appropriate controls to remain compliant.
NetApp maintains an inventory of its information systems that handle CUI to help ensure that the scope of NIST SP 800-171 controls governs all required systems. As business operations and opportunities evolve, we review these systems to determine whether NIST SP 800-171 controls should be re-scoped to ensure the CUI boundary remains under appropriate controls. This may happen as we put new systems in place, and occurs at least annually as part of our scheduled reviews of the CUI boundary.
NIST SP 800-171 and DFARS requirements
NetApp’s compliance with NIST SP 800-171 supports our contractual commitments under DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This clause requires U.S. Department of Defense (DoD) and Defense Industrial Base contractors who process, store, or transmit covered defense information to provide adequate security of covered information systems, and it recognizes compliance with NIST SP 800-171 as evidence of such security.
The DFARS 252.204-7012 clause is included in NetApp contracts where required to support the DoD. We also maintain contracting processes and policies to help ensure that required flowdowns for compliance are included in subcontracts.
For more information on NetApp’s support of DOD contracts, please contact your NetApp account manager.
Recommended security requirements for protecting the confidentiality of CUI in nonfederal systems used to process, store, and transmit CUI