What Does the New NIST SP 800-171 Mean for Your Business?
Businesses are rushing to meet the NIST SP 800-171 cybersecurity standards. Industry leaders would be wise to promptly update and gain third-party certification.
The federal government has a vested interest in making sure that the sensitive data housed on its contractors’ networks remain secure. Cybersecurity threats have been increasingly on the rise from rival nations and hackers looking to profit by selling controlled unclassified information (CUI) to the highest bidder.
In an effort to protect CUI that may act as a roadmap to the operations and plans of the U.S. Department of Defense (DoD) and other government bodies, standardized guidelines laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171 regulate independent contractors. The latest Cybersecurity Maturity Model Certification (CMMC) leans heavily on NIST, and many outfits face compliance deadlines. The elephant in the room for companies that rely on profit-driving government contracts is: “What exactly is the NIST SP 800-171 update, and do I need to comply?”
What Does NIST SP 800-171 Involve?
The updated NIST guidelines are the result of the Federal Information Security Management Act passed in 2003. The mandate impacting businesses in 2020 is another in a growing line of updates. This set of protocols calls for businesses to meet one of the five-tier cybersecurity thresholds. Level I calls for basic cybersecurity hygiene, while Level 5 requires an outfit to proactively maintain 24-7 oversight. Within those five levels, the NIST SP 800-171 requirements include 14 regulatory categories for cybersecurity. These include the following.
- Access Control
- Awareness Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
The stringency of your company’s update will largely be determined by the sensitive nature of the CUI you possess, and tier level the federal government expects you to meet. This brings us to the second question: Does your organization need to get certification?
How To Know if You Need to Follow NIST SP 800-171
The latest CMMC edict ranks as Version 0.7. That’s a lot of cybersecurity regulatory change for independent contractors to manage, which is why many rely on outsourcing to experts to maintain compliance. But getting down to brass tacks, any small, a mid-sized, or large company that is engaged in the DoD supply chain will be expected to meet the standards.
If you derive a benefit from DoD or other federal contracts as a contractor, subcontractor, or even peripheral supplier, you likely need to gain prompt certification. The DoD, for example, has a looming deadline for outfits to achieve their cybersecurity threshold and then get a third-party certification. That basically means industry leaders are tasked with a two-tier process. Right now, everyone in your industry is rushing to hire managed IT cybersecurity specialists and schedule a government-approved third-party to assess their controls and issue certification. The alternative could mean exclusion from bidding on deals or continuing to enjoy subcontracted work from larger corporations.
How To Meet the NIST SP 800-171 Standards and Get Certified
Although the mandate is clearly necessary to protect national security, to say it is complicated would be quite an understatement. Each of the 14 categories has dozens of specific controls requirements. And given the fact we are now looking at Version 0.7 of the DoD’s CMMC, industry insiders are contracting-out their cybersecurity oversight. Strategies routinely include complete outsourcing or staff augmentation to handle the ever-evolving government standards.
National organizations such as the DoD have recently announced that supply chain businesses may be entitled to reimbursement for the expense of compliance and certification. The logical next step for decision-makers is to schedule a cybersecurity consultation to determine your level of compliance and what needs to be done to secure certification. The alternative is being left behind.