This guide on NIST SP 800-171 was specifically developed to help DoD Contractors like you understand what NIST SP 800-171 is, how the cyber security requirements applies to your company, and the options you have available to become compliant.
What is NIST 800-171
The National Institute of Standards and Technology (NIST) created this publication to establish requirements for properly protecting Controlled Unclassified Information (CUI). It’s referred to as the Defense Federal Acquisition Regulation Supplement, or DFARS.
The primary goal of NIST 800-171 is to protect the confidentiality of this information and to reduce the risk of data breaches that involve CUI. There are three situations that this publication covers:
- When CUI is being stored, accessed, or managed in nonfederal information systems and organizations. For example, if a government agency using a third-party application stores CUI in it, NIST 800-171 requirements apply.
- When a nonfederal system or organization is not collecting, maintaining, or utilizing the CUI.
- When the CUI category does not have any specific regulations, policies, or laws in place to protect confidentiality.
Why NIST 800-171 Compliance is Important in Today’s Cyber Landscape
The federal government is one of the most frequently targeted sectors by cybercriminals. A report by Thales eSecurity found that 71 percent of government agencies have suffered from at least one breach. High-profile attacks, such as the one on the U.S. Office of Personnel Management, exposed the data of 21.5 million people in June 2015.
The rate of data breaches continues to climb among all sectors, with opportunistic criminals taking advantage of poor cybersecurity practices, improper configuration, lack of encryption and other vulnerabilities. While cybersecurity spending has increased, it needs to be allocated to the proper resources to combat the risk of data breaches effectively.
NIST 800-171 supplies clear guidelines on the best practices for protecting CUI in the three most common situations that you’ll encounter. Every government agency and non-government organization that handles CUI can now follow a standardized set of guidelines. This consistency goes a long way towards limiting the risk of a significant breach and protecting the confidentiality of this data.
Why DoD Contractors Need to Comply with NIST 800-171
If you want to keep existing contracts and win new ones as a DoD contractor, then you need to comply with NIST 800-171. As we reported in August 2018, The Pentagon is positioning cybersecurity as one of the important factors it considers during the selection process.
You’ll see an impact to your bottom line if you fall behind other contractors who are following these regulations. The risk of data breaches and exposing CUI is too great not to adopt these practices, especially if you want to continue working DoD contracts.
The Differences Between DFARS and NIST 800-53
NIST 800-53, also known as the Federal Information Security Management Act, or FISMA, may come up in conversions about DFARS requirements. While these two publications are related, the intended audiences are much different.
FISMA is an extensive publication for federal institutions and all the cybersecurity requirements that they need to adhere to. These regulations go beyond CUI to cover every aspect of the systems that they’re using and the policies they have in place.
DFARS goes over the proper protection of CUI for non-government organizations. It has far fewer mandates since it’s only covering that data category, rather than all IT systems and policies in the organization.
As a DoD contractor, you need to comply with NIST 800-171, not NIST 800-53. However, reviewing NIST 800-53 can be helpful in understanding your government agency clients and how they handle cybersecurity measures.
NIST 800-171 Requirements
The requirements in NIST 800-171 are the minimum level that you need to meet in order to come into compliance. If you have security measures that fulfill the regulations and exceed these minimums, then you present a compelling case when you bid on DoD contracts.
The two primary categories that these regulations fall under are “providing adequate security” and “rapidly reporting cybersecurity incidents.” The first category goes over the ways that you safeguard CUI wherever it resides in your internal information systems and prevent any entity from accessing it without authorization. The second category details how quickly you need to inform the DoD and affected parties about a security incident after it occurs. Part of your data breach response involves giving the DoD access to the impacted systems and submitting any malicious software that gets on your systems.
You have 14 cybersecurity areas to cover to adequately comply with DFARS:
- Access control: You need to limit access to CUI so only authorized individuals and devices can view this data.
- Awareness and training: Your staff should have adequate awareness of cybersecurity risks and practices, the training necessary to fulfill security responsibilities appropriate to their role, and the understanding of insider threats and how to identify them.
- Auditing and accountability: The systems that you use should have an audit trail that makes it possible to hold individuals accountable for data access and to know who has accessed CUI.
- Configuration management: Your software and hardware should have configurations that focus on strong security measures. You need to maintain this baseline configuration as new updates and firmware are released.
- Identification and authentication: You need to identify the users, devices and processes that are trying to access your systems and authenticate their identities.
- Incident response: You need an incident response plan that allows you to prepare for incidents, detect any intrusions, analyze what’s going on, contain the problem, bring your systems back up, document what happened and report it to the authorities.
- Maintenance: Your information systems should receive proper maintenance to keep everything up to date and properly protected.
- Media protection: The information system media with CUI needs proper protection, access control and the processes in place to sanitize it or destroy the media.
- Personnel security: Everyone accessing CUI must go through a screening process. You also need a procedure in place to protect this data whenever someone leaves the company or is fired.
- Physical protection: The physical location of the information systems with CUI needs security to stop unauthorized access from happening on-site.
- Risk assessment: Put a risk assessment procedure in place and routinely use it to understand the risk factors that face your organization when it comes to cybersecurity.
- Security assessment: Evaluate whether your current cybersecurity measures are doing their job or if you need to update them based on the current threat environment.
- System and communications protection: The external and internal boundaries of your information systems need to be properly controlled, monitored and protected, as these are areas of higher risk. Your organizational information systems require designs that are cybersecurity-centric.
- System and information integrity: You need to protect your systems from malicious code, find, report and fix flaws in information systems, and monitor security alerts to take action quickly.
Options for DoD Contractors to Achieve Compliance
DoD Contractors have two options available to become compliant. Which option is best for you depends on the resources available to your company, the size of your organization, and the complexity of its systems.
Option #1 for Compliance: In-house
The first option for NIST 800-171 compliance is doing it in-house with your own IT team. If you want to become compliant on your own, the NIST Handbook 162 gives you a complete self-assessment guide to walk you through the requirements.
The in-house choice works best if you have extensive IT resources already in place with experience in implementing DFARS requirements. These cybersecurity professionals are in high demand, however, so you may not have access to them within your organization.
Another consideration to keep in mind is that DFARS compliance is not a one and done process. As the cybersecurity landscape changes and attackers find new ways to access CUI, these regulations will update. You’ll need to be prepared for the changes. Think of compliance as a continuous process, rather than a one-time project. You may have the IT resources for the initial implementation, but the ongoing assessment and improvement could prove to be a hardship.
Option #2 for Compliance: Outsource to a NIST 800-171 Consultant
NIST 800-171 does not require that you use an internal IT team for compliance. An expert DFARS consultant can come in and help with any part of the process. You won’t have to dedicate your IT team to keeping up with the requirements, as the expert consultant will know exactly what you need to stay compliant.
Third-party providers have the internal security systems and policies that are necessary for keeping CUI safe. You don’t have to start from scratch when you can use existing solutions for these processes.
One of the most significant advantages of working with a third-party provider for DFARS compliance is having a partner that can handle the reporting, monitoring, and auditing requirements. A data breach is a disaster that already sucks up a lot of your resources, especially if it’s a major incident. You may not have the opportunity to review your systems and find out exactly what went wrong and how to stop it in the future without their help.
The consultant can step in and create a plan that fixes the vulnerabilities, so the attackers won’t be able to have a repeat performance. They also assist with documentation for audits and generate the necessary reports.
When you outsource your compliance needs, your provider goes through a process to help you become and stay compliant. Each provider’s process may be different, but ours follows our three-step process:
- Gap analysis: The third-party provider looks at your existing information systems and security measures. They find any gaps in your CUI protection that could lead to a data breach in the future or a failure to come into compliance.
- Remediation: The consultant creates and implements a plan that remediates these deficiencies and addresses other security issues in your information systems.
- On-going monitoring: They keep a close eye on your systems to detect intrusions as early as possible. If you can stop an attacker before they reach any systems that store CUI, then you can limit the chances that they access unauthorized data.
For more information about how this three step process would work for your company, please read more about our NIST SP 800-171 Compliance Solution.
What to Do if There’s a Data Breach
Data breaches happen, even in the best-protected systems. While you have no way to guarantee that an intrusion won’t occur, you do need to have a concrete process for how to react if it does.
The most important thing to remember during a data breach is that you’re responsible for rapid reporting so the DoD can take the appropriate action and prevent more attacks. You need to tell the DoD within 72-hours, providing as much documentation and examples of malicious software as possible.
The DoD may need access to your information systems where the breach occurred, so have a procedure to fully cooperate with them while they investigate the incident. Depending on the type of information that’s accessed, you may also be responsible for informing other agencies or individuals about the compromised records.
What Are the Penalties for Non-compliance
The penalties for DFARS noncompliance depend on the scope of the data breach, the type of CUI that was accessed, the cybersecurity measures that you have in place, and whether you were negligent in IT security handling.
A few of the consequences include losing your DoD contract, getting a false claim filed against you, falling under breach of contract, getting terminated for default or convenience, or even a suspension.
SysArc’s NIST SP 800-171 Compliance Offering:
At SysArc, we aim to help DoD Contractors understand the requirements laid out by NIST and take the proper steps necessary towards properly protecting the confidentiality of CUI, in order to be eligible for DFARS compliance and remain in good standing with the Department of Defense. Our approach follows our Robust Managed Security Services Plan (MSSP) in the utilization of our professional team, detailed processes and successful tools to meet compliance needs.
Our Security Operations Center (SOC) team of specialists set up alerts to monitor potential threats and promptly remediate any that may be found. We pay careful attention to detail in targeting weaknesses and implementing best practices to maintain security measures in the prevention of future potential threats.
A Security Services Plan will be set in place to collect and analyze data, focusing on events that could be the most impactful to your organization. We use threat intelligence tools designed to organize tasks and execute operations in the most productive way.
The tools we use include, but are not limited to:
- Vulnerability Assessments
- Determines points of weakness where attackers may infiltrate critical systems and secured data.
- Behavioral Monitoring
- Effectively monitors cybersecurity and spots anomalies.
- Intrusion Detection
- Identifies known threats and activities at the point of entry.
- Security Information and Event Management
- Finds patterns of activity in order to detect cyberattacks and place blocks in accordance with compliance guidelines.
If you are a DoD contractor needing help complying with DFARS, learn more about our NIST 800-171 Compliance Solution and get a free compliance consultation.