February 2021
NetApp holds itself accountable to rigorous physical, logical, process, and management controls throughout its business. For systems that are processing controlled unclassified information (CUI), this commitment is demonstrated through our attestation to compliance with NIST SP 800-171 requirements, which forms the basis of our contractual commitments under the Defense Federal Acquisition Regulation Supplement (DFARS).
The U.S. National Institute of Standards and Technology (NIST), a nonregulatory agency of the U.S. Department of Commerce, establishes standards and guidelines designed to promote industrial competitiveness. These standards include NIST SP 800-171, “Protecting Controlled Unclassified Information In Nonfederal Information Systems and Organizations.” NIST SP 800-171 was created in response to Executive Order 13556 on safeguarding information designated by the government as controlled unclassified information (CUI). The controls set forth in NIST SP 800-171 have since been incorporated into acquisition regulations and are therefore often a direct or indirect requirement for any nonfederal entity that stores, processes, or transmits CUI for the U.S. government.
NetApp maintains information systems that store CUI and is committed to appropriate treatment of CUI by complying with the control requirements of the NIST SP 800-171 on those systems. Since December 2017, NetApp has routinely audited and reviewed the status of its compliance with this regulation. NetApp attests to its compliance with NIST SP 800-171 requirements, and based on that compliance makes contractual commitments to customers who must meet DFARS requirements. As new technologies and threat vectors are introduced, NetApp proactively monitors their impact and implements appropriate controls to remain compliant.
NetApp maintains an inventory of its information systems that handle CUI to help ensure that the scope of NIST SP 800-171 controls governs all required systems. As business operations and opportunities evolve, we review these systems to determine whether NIST SP 800-171 controls should be rescoped to ensure that the CUI boundary remains under appropriate controls. This review may happen as we put new systems in place, and it occurs at least annually as part of our scheduled reviews of the CUI boundary.
NetApp’s compliance with NIST SP 800-171 supports our contractual commitments under the DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause requires U.S. Department of Defense (DoD) and Defense Industrial Base contractors who process, store, or transmit covered defense information (CDI) to provide adequate security of covered information systems, and it recognizes compliance with NIST SP 800-171 as evidence of such security.
The DFARS 252.204-7012 clause is included in NetApp contracts where required to support the DoD. We also maintain contracting processes and policies to help ensure that required flowdowns for compliance are included in subcontracts.
For more information on NetApp’s support of DoD contracts, contact your NetApp account manager.
