Applying NIST 800-171 Rev. 1 in a Manufacturing Environment
Are you a U.S. manufacturers who supply products within supply chains for the DOD? If you are it’s likely that you are required to ensure adequate security by implementing NIST SP 800-171 as part ensuring compliance with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” available at:
Manufacturing environments can pose unique challenges when implementing the 110 controls required by NIST 800-171 Rev. 1 and applying the controls to a production line can be daunting with the risk of business interruption often a click away. To de-risk the implementation of the NIST 800-171 Rev. 1 controls it’s recommended that you start with an assessment of your current operations (people, process, technology) against the NIST 800-171 Rev. 1 requirements. Finding a trusted third party with applicable manufacturing environment experience to execute your assessment can be a great way to jump start your compliance efforts. If you choose to so the assessment in-house one of the best resources, targeted to small manufacturers, is NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements. Found here:
NIST SP 800-171 Rev. 1 assumes that small manufacturers currently have IT infrastructures in place, and it is not necessary to develop or acquire new systems to handle Controlled Unclassified Information (CUI). Small manufacturers likely have some security measures to protect their information which satisfy some of the 800-171 security requirements. For controls that are not currently satisfied there are many potential security solutions that can be implemented to satisfy the security requirements. There is no single security technology or solution that will meet all requirements. Manufacturers will need to understand their operating environment and apply the security requirements to meet their unique operations which should be reflected in their System Security Plan (SSP). Manufacturers often have unique operational requirements that run counter to some required controls and will have to implement alternative, but equally effective, security measures to satisfy a control requirements.
NIST Handbook 162 was developed by the National Institute of Standards and Technology (NIST) and Manufacturing Extension Partnership (MEP) collaboration committed to strengthening U.S. manufacturing. The Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 Rev 1, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The handbook is intended for use by a small manufacturer and essentially walks manufacturers through conducting a self-assessment answering Yes, No, Partially, Does Not Apply or Alternative Approach to each control.
The Handbook includes an excellent section titled “Using this Handbook to Conduct an Assessment” which details the preparation and expectation setting before, during, and after an assessment. Often this is an overlooked step in the process as the desire to “just get compliant” informs most activities. While understandable, it’s a mistake to set compliance as the only outcome of a your NIST 800-171 Rev. 1 self-assessment. When preparing for your self-assessment take the time to think about educating executives and business stakeholders on the compliance requirements and how you are going to earn their long-term support for this initiative. There is no end state to NIST 800-171 Rev. 1 compliance and you should answer the following questions in soliciting executive support and sponsorship:
Does the business even know about this requirement for doing business with the Department of Defense (DoD)?
They might not. Now is your opportunity to educate them on the long-term implications of the requirements and help them begin to think about building the cost of compliance into the business plan.
Does the business understand the NIST 800-171 Rev. 1 impact on Acquisition? (for a detailed explanation see this blog post: http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/
At some point, you will need to demonstrate compliance in order to be competitive for future acquisition. Engaging the business now and getting ahead of that inevitability will pay dividends in the future.
How will you measure and communicate your self-assessment and overall compliance to the business?
Don’t make the mistake of only communicating the fact that you are undertaking a self-assessment. This is your opportunity to communicate your long-term approach to managing a NIST 800-171 Rev. 1 compliance program. Take the time to develop a strategy that includes:
- Executing an Annual Assessment
- Documenting your System Security Plan (SSP) and Plans of Action & Milestones (POA&M’s)
- Implementing the required controls
- Maintaining Compliance
Developing this strategy up front presents the opportunity to transform security from” order takers” to a business enabling function, don’t pass that up!
When you are ready to start your self-assessment using NIST Handbook 162 you will find descriptions of each control and importantly practical recommendations on how to assess your compliance with each control. The guidance included suggestions around who to talk to, where to look and what tests to perform when assessing control compliance. The recommendations should help you and your team work your way through each control and ultimately complete a thorough self-assessment.
Achieving NIST SP 800-171 Rev. 1 compliance for a manufacturing business has its own unique challenges, most of which CyberSheath has already solved. If you need help staying competitive with this DoD mandate, contact us at firstname.lastname@example.org.