If you have contracts with the United States Department of Defense (DOD), NASA or GSA, or are a subcontractor to a prime contractor with those contracts, your organization had until December 31, 2017 to begin your journey towards NIST (National Institute of Standards and Technology) 800-171 compliance.
What is NIST 800-171?
If you're in need of a nap, you can read the full NIST Document 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.
If you need to remain awake, here's the short of it... NIST 800-171 is a requirement that is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The purpose of NIST 800-171 is for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. CUI is information that is sensitive and relevant to the interests of the United States, but not strictly regulated by the Federal government. NIST 800-171 contains a framework of 14 items that specifies how your information systems and policies need to be setup in order to protect this CUI.
The categories are as follows:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
While there is no official certification process for NIST 800-171, your organization can achieve and maintain compliance through a combination of internal procedures and contracted IT services. Formal documentation of your ongoing maintenance and audit activities will show your diligence in adhering to the compliance standards.
Why did this come to be?
It all began in 2010 with Executive Order 13556, which designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program, for which the Information Security Oversight Office (ISOO) of the National Archives and Records Administration is responsible. In April of 2013, ISSO issued a memorandum to government agency leads on the management of the CUI program. Then in September 2016, ISOO released notice 2016-01 outlining the implementation guidance for CUI, and a later notice was issued in June 2017 with recommendations for implementation of the CUI program.
The primary reason is to make sure unclassified information that isn’t part of federal information systems and organizations is properly protected and consistent. Basically, all of this was created to improve IT security.
Who does it affect?
Anyone who processes, stores or transmits information for or with federal or state agencies is affected. This means organizations that contract with the United States Department of Defense (DOD) or are a subcontractor to a prime contractor with DOD contracts - Tier 1 Government Contractors or Tier 2 Government Suppliers. If your business is a supplier to a prime contractor, they likely have, or will, require that you become NIST 800-171 compliant or they cannot do business with you anymore, as their contracts with the governement will be terminated.
How to become NIST 800-171 compliant?
Perform a focused security assessment where you work through the framework of the NIST 800-171, and determine where you are currently compliant and where you need work. This involves interviews with your staff, looking over network maps and configurations, etc.
Your assessment should include the following areas: network infrastructure, internet/Wi-Fi access, how employees handle information, group policies, employee behavior regarding information usage and sharing, external penetration testing of your firewall, external media usage, physical access to sensitive systems, and otherwise looking for security vulnerabilities that would not adhere to security best practices.
You will also need to develop a response plan that shows how your company will respond during a cyber attack. If you don't already have one, this could be a tough step.
BizTech can help you be NIST 800-171 compliant
We will perform a Security Assessment customized and targeted for the NIST 800-171 directive. BizTech will assess your systems, environment, policies and procedures and provide you with a comprehensive detailed report to help you become compliant. At the end you will have your NIST 800-171 Checklist and supporting documentation to show you’re compliant.
BizTech follows a structured methodology regarding adherence to NIST compliance. BizTech subscribes to the theory that while detail has its place, an auditor may be more interested in a snapshot representation of past, present, and future status. While the government does not define, specify, or otherwise detail the exact requirements for reporting status, based on our interpretation of the standards, we approach this process using the following steps as our guide:
- Compliance Summary Report - details your current policies & security practices
- Assessment Reports (Pre and Post Remediation) - details the issues or lapses in compliance
- Remediation Detail Report - recommendations to become compliant
- Ongoing Maintenance Worksheet - what you continue to do to remain compliant
- Ongoing Audit and Assurance Worksheet - details your current compliance status & ongoing testing checklist
- Self-Declaration of Conformity - your statement that you are compliant with NIST 800-171 to the best of your ability
Still haven't met the deadline?
Most contractors have at least begun the steps toward compliance. If you haven’t yet become compliant, or are still working on it, there is some forgiveness. However, the quicker you complete it, the less chance of losing contracts and, if you are a subcontractor, getting dropped as a supplier.
Need help becoming NIST 800-171 compliant?