If your company is a member of the defense industrial base and engaged in business with the DOD, chances are you are already aware of NIST Special Publication 800-171 (NIST 800-171, which outlines the 110 cybersecurity controls necessary to secure contracts. These controls are intended to protect controlled unclassified information (CUI) in non-federal information systems and organizations.
These days the purview of that standard is expanding beyond the DOD to other segments of the federal government like the DOE, the Department of Homeland Security, and the State Department. Given the current trajectory, it appears that over a period of time, implementation of the controls in NIST 800-171 will eventually be mandated in almost all contracts with the federal government. If you want your business to be relevant in this space, it’s critical that you implement these controls.
Benefits of implementing NIST 800-171
As soon as your organization has implemented these controls, you will be stronger from both a compliance and a security perspective. With all the nation threat actors and ransomware attacks that you see in the news, which are costing companies billions of dollars, improved security is a great thing to have in many regards. Complying with this standard helps your business to continue to operate in this space and reduces your threat footprint.
How to get started
Determine where your company is in regard to meeting all the requirements outlined in the standard. NIST 800-171 control assessments are a set of security assessments designed to evaluate the implementation of security controls specified in NIST 800-171.
The assessments are conducted to determine whether the controls are implemented correctly and operating effectively to safeguard CUI against unauthorized access, disclosure, and other security risks. The NIST 800-171 control assessments are typically performed by qualified assessors who use a rigorous methodology to evaluate the security controls and provide a comprehensive report that identifies any weaknesses or deficiencies in the controls. The results of these assessments are used to improve the overall security posture of organizations that handle CUI and to ensure compliance with regulations such as DFARS and FAR.
The requirements in NIST 800-171 are organized into 14 control families with the aforementioned 110 security controls and 320 assessment objectives. These controls include things like access control policies, encryption of data at rest and in transit, malware protection, and incident response planning. Note that all of the security controls have to be implemented—there is no partial credit, the standard must be met in its entirety.
Take advantage of NIST 800-171A
NIST 800-171A is a companion document to NIST 800-171 that provides guidelines for assessing the effectiveness of security controls specified in NIST 800-171. The document provides a standardized approach to conducting security assessments and is intended to ensure that security controls are implemented correctly and operating effectively to safeguard CUI against unauthorized access, disclosure, and other security risks.
It’s about more than cybersecurity—it’s about protecting CUI
Be mindful that implementing these controls changes the culture of your company. For some small companies that previously had no formal policies, it can be a difficult learning curve. It’s not just about having the policies in place, it’s about demonstrating how they are part of your procedures each day. For instance, if you’ve implemented training around properly handling CUI—it’s also asking if employees are following the guidance, like how do they handle CUI when they print it out? Do they mark it? Do they lock it up at night? Learn more about how to handle CUI at our Mastering CUI Boundaries webinar.
Relying on the security operations center and your cybersecurity team and security analysts is useful for catching ransomware, brute force attacks, spoofing, and the like. Also be sure to consider physical breaches.
Wherever you are in your compliance journey, the experts at CyberSheath can help. Contact us to get started.