NetApp maintains information systems that store CUI and is committed to appropriate treatment of CUI by complying with the control requirements of the NIST SP 800-171 on those systems. Since December 2017, NetApp has routinely audited and reviewed the status of its compliance with this regulation. NetApp attests to its compliance with NIST SP 800-171 requirements, and based on that compliance makes contractual commitments to customers who must meet DFARS requirements. As new technologies and threat vectors are introduced, NetApp proactively monitors their impact and implements appropriate controls to remain compliant.
NetApp maintains an inventory of its information systems that handle CUI to help ensure that the scope of NIST SP 800-171 controls governs all required systems. As business operations and opportunities evolve, we review these systems to determine whether NIST SP 800-171 controls should be rescoped to ensure that the CUI boundary remains under appropriate controls. This review may happen as we put new systems in place, and it occurs at least annually as part of our scheduled reviews of the CUI boundary.
NetApp’s compliance with NIST SP 800-171 supports our contractual commitments under the DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause requires U.S. Department of Defense (DoD) and Defense Industrial Base contractors who process, store, or transmit covered defense information (CDI) to provide adequate security of covered information systems, and it recognizes compliance with NIST SP 800-171 as evidence of such security.
The DFARS 252.204-7012 clause is included in NetApp contracts where required to support the DoD. We also maintain contracting processes and policies to help ensure that required flowdowns for compliance are included in subcontracts.
For more information on NetApp’s support of DoD contracts, contact your NetApp account manager.