How Defense Contractors Can Boost Business with DoD Compliance
For defense contractors and the companies that work with them, compliance with U.S. Department of Defense (DoD) cybersecurity requirements can mean...
6 min read
Karen Kiewski : Mar 10, 2021 10:00:00 AM
Modern businesses have to meet a lot of different regulatory compliance standards—and the specific standards they need to meet may vary depending on their industry and target audience. One compliance standard that many companies working with government agencies or act as subcontractors to companies working with the government is NIST 800-171.
What is NIST 800-171? What does compliance with these standards require from your business? Why should your company worry about NIST 800-171 compliance? How can your managed services provider (MSP) help with compliance requirements?
NIST 800-171 Rev 2 is a standard for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” published by the National Institute of Standards and Technology (NIST).
This special publication from NIST (which is part of the U.S. Department of Commerce) outlines “recommended security requirements for protecting the confidentiality of CUI” (CUI meaning controlled unclassified information) when it is stored in or processed by a nonfederal system.
Compliance with NIST 800-171 means that the organization is meeting specific minimum thresholds for protecting the confidentiality of data needed to continue processing and storing unclassified data on behalf of a government entity.
Because the primary goal of NIST 800-171 is data confidentiality and not data availability or integrity, the protections it mandates are somewhat different from others like the EU’s General Data Protection Regulation (GDPR) or the USA’s Health Insurance Portability and Accountability Act (HIPAA)—both of which do emphasize ensuring the availability of specific data.
It’s important to note that NIST SP 800-171 Revision 2 does have requirements for system and information integrity. However, they focus more on protection from malicious code.
MORE INFO: Why Consult with a CMMC-AB Registered Practitioner
NIST 800-171 compliance requirements for protecting CUI are divided into fourteen different “families” in the rev 2 version of the special publication. Each of these fourteen families of security requirements are further divided into “Basic” and “Derived” requirements. The fourteen families of security requirements are:
So, what does NIST 800-171 mean for your business? Following the regulations can open a lot of doors for companies that want to work with government agencies or with other companies that do so. Being compliant allows companies to work with new potential partners and open up new revenue opportunities.
Additionally, meeting these data confidentiality guidelines can help businesses improve their own data security. This helps to reduce the risk of a data breach—an event that can cost American businesses an average of $8.64 million according to data from an IBM/Ponemon study.
For companies already pursuing government contracts, NIST 800-171 is a vital standard that needs to be maintained. Failing to meet these standards puts businesses at risk of losing lucrative contracts and partnerships.
While meeting NIST regulations may add some expenses to IT operations, the long-term benefits can easily outweigh the costs.
MORE INFO: IT Compliance V.S. Security
So, where does a managed service provider factor into the compliance equation? Why do you need an MSP that knows NIST 800-171 compliance instead of simply relying on internal resources to get the job done?
Here are a few reasons why you should partner with an MSP who has experience in dealing with NIST 800-171 compliance requirements:
Basically, working with a managed service provider for NIST compliance helps you save time and money while making it easier to meet your company’s compliance requirements.
RELATED: What's the Real Cost of Bad Security Compliance?
So, what should you do if you need your business to be NIST 800-171 compliant right away? Here are a few things you can do to get ready:
Here’s a quick list of basic things to check when preparing for NIST 800-171 compliance:
Compliance Standard |
Is Our Company Doing This? Yes, No, or Unsure (Y, N, or U) |
Limiting System Access to Authorized Users, Processes, and Devices |
|
Restricting Access to the Types of Transactions Specific Users Are Authorized For |
|
Ensuring That ALL Users Are Aware of Security Risks and Applicable Policies |
|
Providing Training to Users so They Can Carry Out Their Assigned Info Security Duties |
|
Creating and Retaining System Logs Sufficient to Enable Monitoring, Analysis, Investigation, and Reporting of Unauthorized Activity |
|
Maintaining Logs to Track User Activity Back to Specific Users |
|
Documenting “Baseline Configurations” to Use as a Basis for Future Builds or Changes to Systems |
|
Establishing and Enforcing Security Configuration Settings for IT Assets |
|
Identifying All System Users, Processes, and Devices |
|
Authenticating/Verifying User, Process, and Device Identities before Granting Access |
|
Creating and Implementing an Incident Response Plan |
|
Documenting Security Incidents & Reporting Them |
|
Performing Frequent System Maintenance |
|
Preventing Physical Access to IT Assets and Paper Documentation with CUI |
|
Sanitizing/Destroying IT Assets with CUI before Disposal/Reuse/Resale |
|
Marking Anything with CUI with Appropriate NARA Marks |
|
Screening New Employees with a Documented Vetting Process |
|
Protecting/Monitoring Company Facilities to Prevent Unauthorized Access |
|
Conducting Risk Assessments and Vulnerability Scans |
|
Testing Security Controls to Determine Their Effectiveness |
|
Using Firewalls to Protect Both Internal and External Boundaries |
|
Identifying, Reporting, and Correcting System and Security Flaws |
|
Using Basic Antimalware Solutions to Protect Against “Malicious Code” |
|
Installing Detection Solutions to Identify Potential Security Breaches |
|
For defense contractors and the companies that work with them, compliance with U.S. Department of Defense (DoD) cybersecurity requirements can mean...
Some of the big questions different organizations have about their IT are often about the need for regulatory compliance and for strong IT security....