Are You Ready for the NIST 800-171 Compliance Marathon?

What does it take to train for a marathon? Like anything else—with your goal and finish line looming ahead—it takes planning, effort, focus, pacing, and sweat.

What Is the Goal? Get Your Security Foundation in Place

Getting your company in compliance shape for NIST 800-171, with the looming December 31, 2017 deadline enforced by the U.S. Department of Defense (DoD), is much like training for a marathon. If your company or organization contracts for the government, you must implement all of the security requirements and controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations—by mile marker 12-31-17. If you don’t, you risk losing your contracts, costing your organization millions of dollars in lost revenue:

“…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…”

-Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

Controlled Unclassified Information is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with pursuant to and consistent with law, regulations, and government-wide policies,” as defined by Executive Order 13556. CUI is sensitive information, but isn’t actually classified information. For example, flight schedules and itineraries for a military unit, or information maintained by a company regarding the federal government’s uses of advanced drone technology. It’s a blanket term meant to unify the many names that the different federal agencies have for information that meets the above description (e.g. The Department of Defense calls it “FOUO” (For Official Use Only), Department of State calls it ‘SBU’ (Sensitive but Unclassified), Department of Justice calls it ‘LES’ (Law Enforcement Sensitive), etc.).

NIST SP 800-171 provides security controls for federal agencies to develop business relationship requirements for non-federal organizations that handle CUI.  The required SP 800-171 controls include:

1. Access Control
2. Awareness and Training
3. Auditing and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Securit
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communication Protection
14. System and Information Integrity

According to Runner’s World, marathoners should run consistent weekly mileage for at least a year before beginning the 15- to 20-week training plan. You have a lot less time than that to achieve full compliance with NIST 180-171—it typically takes six to nine months. If you haven’t begun your assessments, evaluations, testing, and implementation, however, there is still time to make good headway.

December 31, 2017 Is A Checkpoint; Don’t Forget NFO Controls

Achieving compliance with NIST 800-171 by December 31, 2017, is not the finish line. It’s more of a checkpoint for establishing security building blocks for the long run: building a strong security network. Your efforts and sweat are ensuring that your policies, procedures, and security plans—the fundamental building blocks for a mature security program—are in place, better positioning you for the threats of 2018 and beyond.

To help you build your strong security network, make sure you also have your Non-Federal Organization (NFO) controls in place. Back in August 2015, NIST 800-171 listed 62 NFO controls as “expected.” NFO items cover every NIST category from Access Controls to Systems and Information Integrity, as well as a new category, Planning. While you should already have these controls in place, they are not part of the “mandatory minimum” baseline of risk mitigation effort. However, the government expects them to be satisfied as part of your existing security policy. There is no option to accept a certain level of risk in lieu of the minimum security controls.

Going the Extra Mile: Security Due Diligence Will Pay Off

Contractors have to go the extra mile and implement NFO controls in addition to the new NIST 800-171 controls. These NFO controls are expected to be routinely satisfied by nonfederal organizations. The NFO controls affect all 16 of the following categories:

1. Planning
2. Acquisition
3. Configuration Management
4. Identification and Authentication
5. Incident Response
6. Acquisition (SA-8)
7. Maintenance
8. Physical Security
9. Risk Assessment
10. Security Assessment (CA-2)
11. Awareness and Training
12. Contingency Planning
13. Security Assessment
14. Physical and Environmental Protection
15. System and Communication Protection
16. System and Information Integrity

At this point you may be asking, “OK, but my company deals with federal contracts, not DoD, so does this apply to me?” Great question. Even though DFARS 52.204-21 does not include the NFO requirements, these are “things you should be doing anyway.”

Getting in compliance shape by the end of the year is no easy feat. Neither is building a managed network. December 31, 2017 is a mile marker that will be here sooner than you think. The time to start training is now.