The deadline for meeting NIST 800-171compliance is December 31, 2017. Perhaps you are already on your journey, perhaps you are just starting; regardless, compliance must be met by the end of the year. What does this mean for you? The biggest takeaway is this: you have a limited amount of time to make significant progress to ensure your customer’s compliance. This will likely take a focused team of individuals, and possibly a partner with NIST 800-171 experience. Showing appreciable progress by customers towards compliance will help to assuage the regulators.
If your customers contract for the government, you must implement all of the security requirements and controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. If you don’t, you risk losing your contracts, costing your organization millions of dollars in lost revenue:
“…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…”
-Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
What is Controlled Unclassified Information and NIST 800-171?
Controlled Unclassified Information is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with pursuant to and consistent with law, regulations, and government-wide policies,” as defined by Executive Order 13556. CUI is sensitive information, but isn’t actually classified information. For example, flight schedules and itineraries for a military unit, or information maintained by a company regarding the federal government’s uses of advanced drone technology. It’s a blanket term meant to unify the many names that the different federal agencies have for information that meets the above description (e.g. The Department of Defense calls it “FOUO” (For Official Use Only), Department of State calls it ‘SBU’ (Sensitive but Unclassified), Department of Justice calls it ‘LES’ (Law Enforcement Sensitive), etc.).
NIST SP 800-171 provides security controls for federal agencies to develop business relationship requirements for non-federal organizations that handle CUI. The required SP 800-171 controls include:
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
Your Goal: Building a Strong Security Network
Achieving full compliance with NIST 180-171 typically takes six to nine months. You can start now with assessments, evaluations, testing, and implementation, in order to meet NIST 800-171 compliance in 2018. Achieving compliance will help you establish the fundamental security building blocks for a mature security program in the long run. Your efforts to ensure that your policies, procedures, and security plans are in place will better positioning you for 2018 and beyond.
Getting in compliance shape at any time is no easy feat. Whether your organization needs a risk assessment, help meeting regulatory requirements, or needs complete end-to-end security and network heavy lifting, STN can help.