Request Demo

Thought Leadership

Small Defense Contractors: Get Ready to Meet New NIST Standards

down-arrow

Just about all defense contractors are smaller organizations than the U.S. Department of Defense, and very few are well versed in the often obscure terms and acronyms used by it.

At the same time, all defense contractors must be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) by Dec. 31, 2017 which describes what they must do to protect covered defense information (CDI) and controlled unclassified information (CUI) that may pass through their IT systems as a result of the activities they conduct in support of the various DoD departments and agencies.

Few civilian organizations are as prepared as they should be at this point for the level of specificity and the compliance requirements that military agencies see as standard. NIST SP 800-171 helps these organizations comply so that they aren’t prevented from doing business with the military.

It maximizes the protection afforded to CDI and CUI to prevent it from falling into the wrong hands.

Here are a few key ways in which defense contractors (especially smaller defense contractors), can properly prepare themselves to achieve full compliance with NIST SP 800-171, a 76-page document that can be accessed on NIST’s website.

 

Small Defense Contractors – How to Approach Meeting NIST SP 800-171 Requirements

Defense contractors who achieved compliance with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause might approach meeting the requirements of NIST SP 800-171 by making simple policy and/or process changes or adjusting the configuration of existing IT. NIST SP 800-171 was written using performance-based requirements that wouldn’t require acquisition of additional IT hardware or software, but rather policy and procedural changes.

The FAQ states, “Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely, while others require security-related software (such as anti-virus) or additional hardware (e.g., firewall).”

It is also important to remain focused on the core purpose of the publication, which is to insure constant, proper protection of CDI and CUI when it is processed, stored, or transmitted through any of the contractor’s internal IT systems. Systems that do not participate in processing, storing, or transmitting CDI or CUI do not have to meet any requirements.

You may already have control or protective measures in place that exceed the NIST requirement, providing equal or better protection to CDI and CUI. If you feel this is the case, you have the right to submit an explanation to show that your alternative protection is appropriate, effective, and fit for purpose.

 

Small defense contractors who are new to these requirements should begin by thoroughly examining the policy and process changes indicated, especially those that involve IT. Assure that all IT configurations conform to the standards described. Assure that all policies and procedures involved in securing data and network meet or exceed the standards.

As you determine changes that will be required to IT systems, carefully determine which should be assigned to external expert resources to assure complete compliance.

Finally, document your strategy in a detailed, written plan of action with milestones for achievement. This will be useful in any situation where a lapse in compliance may be suggested.

A Potential Short-Cut to Compliance

Just as it has reduced workload and expense for many companies, small defense contractors may find they can literally outsource their compliance requirements by using a cloud service that meets security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP), a moderate requirements baseline for the storage, processing, and transmission of CDI and CUI.

 

It is important to specify this requirement in your contract with a compliant cloud service.

Should you choose to take this route, remember that there are still segments of your own network which may play a part in the storage, processing, or transmission of CDI and CUI to and from the FedRAMP-compliant cloud service, and these must meet or exceed the requirements, too.

The last thing to remember, whether you choose to use a cloud-service or not, is that your organization still owns responsibility for protecting the covered information at all times. You must assure that your cloud-provider adheres as stated. You must assure that your systems meet or exceed requirements at all times.

Originally Posted in Fifth Domain Cyber.

George Wrenn is founder and CEO of CyberSaint Security, was formerly chief security officer at Schneider Electric. He has more than 20 years of experience in the field of cybersecurity and is a Research Affiliate in Management Science at the MIT Sloan School of Management.

You may also like

Booz Allen 2019 Cyber Threat Report
on February 7, 2019

@BoozAllen @BoozAllenCyber #cybertrends #cybersecurity #cyber Find out the 8 ways threat actors can make waves in 2019 in the annual Booz Allen Cyber Threat Outlook Report: ...

It’s Time to Embrace Password ...
on February 7, 2019

Why Your Enterprise Needs Password Security Strategies Unfortunately, trusting employees to create strong passwords on their own may no longer serve as a tenable strategy. ...

Nearly Half Billion US Personal ...
on February 7, 2019

There’s good news and bad news about identity theft in 2018 according to a new report from the Identity Theft Resource Center (ITRC). The good news is the number of US data ...

News Insights: Millions Of Bank ...
on January 28, 2019

According to Colin Bastable, CEO, Lucy Security: “When US lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all ...

CyberSaint Security Announces ...
on January 28, 2019

BOSTON--(BUSINESS WIRE)--CyberSaint Security, a cybersecurity software firm that powers automated, intelligent compliance and risk management, today announced record-breaking ...

A Cybersecurity Compliance Crystal ...
on January 28, 2019

What Recent News Means for the Future The compliance landscape is changing, necessitating changes from the compliance profession as well. A team of experts from CyberSaint discuss ...

George Wrenn