The Countdown to NIST 800-171 Compliance Has Begun...
By Jarra Gruen, MDS
Does your company do business with the Department of Defense? Do you want that business to continue after 2017?
If you answered yes to both of these questions, you need to know about Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012 and its potential impact on your business.
As of December 2017, the National Institute of Standards and Technology (known as NIST) will be making the requirements of its new NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations) mandatory. This guidance will be directed towards contractors who have access to controlled unclassified information (CUI) and work with the federal government. This also includes manufactureres, subcontractors, and vendors who supply products and services to federal agencies.
What does this mean for you and your organization?
In practical terms, the Department of Defense (DoD) is telling its contractor community that if you want to be able to receive sensitive information determined by DoD, you must assure the DoD that your own IT systems will be able to contain that information securely.
Failing to do so after 2017 will preclude you from contracting with DoD.
The good news is that there is still time before the 14 security objectives are put into effect, and MDS is here to give you a cricial heads up about what prepping your organization for NIST 800-171.
NIST 800-171 Takes Effect In:
A Brief History: Why is NIST 800-171 so Important?
A primary target for hackers are non-federal organizations that have access to federal data (including citizen’s higher education, tax, and healthcare records). This type of information is of high value to malicious users looking to either directly exfiltrate this information or establish a foothold as a jumping off point to larger federal agency targets.
Although data in transit must be protected per federal encryption requirements, the larger question that comes to mind is: what controls should be in place to also protect the data once it reaches the intended recipient?
That is where NIST 800-171 becomes relevant. This new standard was implemented to help fill the gaps of protecting Controlled Unclassified Information (CUI) on non-federal information systems.
The 14 NIST 800-171 Security Objectives:
NIST 800-171 is chiefly interested in making your organization ready to handle any possible cyber threats that will compromise your CUI.
There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet:
1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
8. Media Protection
9. Physical Protection
10. Personnel Security
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity
NIST 800-171 compliance is a dynamic process…
Your IT systems, as well as government security standards, are always changing. Achieving compliance is only the start; maintaining compliance is an ongoing process.
If you ahere to the objectives outlined in this article and be consistent in the following of these objectives, you’ll be well within the requirements for NIST 800-171 compliance. And although it is a hassle to initially become compliant, your company’s overall security will be improved and streamlined once all 14 regulations are in place.
MDS can help build a comprehensive, compliant NIST 171-800 solution in which sensitive federal data is effectively hidden from the sticky hands of hackers.