As a Department of Defense (DoD) contractor, NIST compliance is more than just a “nice to have” feature of your business. Your status as a contractor of the federal government, is contingent on being wholly compliant.
How does that work and how can you be NIST compliant?
This compliance guide will cover everything you need to know about NIST SP 800-171 compliance, including what it is, its benefits, the NIST cybersecurity framework, and 14 steps you can take today to achieve NIST compliance.
If you have questions about NIST compliance or would like to talk to a cybersecurity expert about your organization's needs, we can help.
Call 763-546-8354 or contact us online for a free consultation.
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce. The goal of NIST is to help organizations keep their data, information and critical infrastructure secure from threats and by conducting research and providing resources to minimize cybersecurity risks.
It was first started in 1901 as a way to catch up to the measurement infrastructure that Germany and the UK had to offer. Today, the NIST has standards that help technologies of various sizes — from the nanoscale all the way up to massive skyscrapers.
The term “standards” just refers to a list of suggestions, best practices, compliance requirements and professional advice when it comes to different parts of a business.
It has expanded to include more than just metrology (the act of measuring physical parts). They have a competitive NIST framework for cybersecurity, general scientific assistance, business development, and growth for early-stage operations.
NIST puts out a list of, generally measurable, standards that are considered the best practice to minimize cybersecurity risk. Service providers can access this list and then meet each standard. NIST guidelines are mandatory for any business that provides services to the federal government.
Once these guidelines are met, the company is considered “NIST compliant”.
This term refers to whether or not your company is adhering to the general security measures, security policies, security controls, cybersecurity standards and security policies that the NIST suggests.
For example, one of the security standards requires you to write a system security plan (SSP) based on a number of baseline parameters. Once written in accordance with the guidelines, your company will be compliant with that standard. After doing the same process for the rest of the standards, you’ll achieve NIST compliance.
For a convenience store, being NIST compliant isn’t really a big deal. They won’t get penalized, and their business will march on. For government agencies, or a contractor firm that has a DoD account and handles sensitive data, it isn’t as casual.
The DoD requires its private sector contractors and subcontractors to comply with the NIST standards. Since they have such a robust list of best practices when it comes to cybersecurity, general security, data security and federal information systems, it’s one way to keep the DoD’s assets safe.
These standards are based on the best practices from organizations, publications, and a lot of security documents that span the last century. As technology advances, the standards are updated, meaning the NIST always has the most up-to-date standards in place.
Federal agencies have a lot of sensitive information that can’t be shared with national adversaries. A data breach can affect national security. Data protection is a big part of the NIST standards, specifically the NIST cybersecurity framework.
NIST compliance also helps organizations conform to the requirements within the Federal Information Security Management Act (FISMA) and other U.S. government regulations.
This leads to a common question — why is NIST compliance so important for DoD contractors? It has to do with the major benefits of achieving NIST compliance in the first place.
NIST compliance benefits your operation because it:
As we mentioned, NIST has a specific Cybersecurity Framework (NIST CSF). It revolves around risk management, and it’s perhaps the most widely used of the NIST publications. It comes with 5 functions for your company’s cybersecurity: identify, protect, detect, respond, and recover.
The first area in NIST CSF is identification. You’ll need to understand what devices your operation uses, and you’ll have to list them all out. Things like laptops, smartphones, personal devices, software, and operation-specific equipment need to be accounted for.
Protection is when you limit or contain the potential cybersecurity event. Protecting your assets will make it easier to resume operations after an event.
Your network should be constantly scanning for unusual behavior. This fits into the detection function. You can use these behaviors to predict when an event might occur and stop it before it does.
After an event, you’ll need to respond to it. This means informing the authorities, stakeholders, and employees about what happened. It also means updating your cybersecurity policy to prevent this from happening in the future.
The final category is recovery. This will help your operation bounce back after a cybersecurity event. With good recovery, a cyberattack will have a minimal effect on your business.
For government contractors and subcontractors, the NIST SP 800-171 is something to know. As of December 31, 2016, it was required to keep your federal contract going.
NIST SP 800-171 is designed to safeguard and protect the confidentiality of controlled unclassified information (CUI) within your organziation. It has a series of procedures and practices that you need to adhere to when it comes to storing, accessing, and processing CUI on your company’s network, as well as non-technical safeguarding.
Even though the data is unclassified, it can still pose a huge risk if it gets into the wrong hands. Something as simple as a meeting time, location, and invitee list could do serious damage if an adversary gets the data.
For NIST compliance, a lot of DoD contractor businesses will employ a qualified cybersecurity firm to upkeep their security program. Ensuring your operation is always compliant is one way to keep your government contracts going.
If you look specifically at NIST 800-171 Rev.2, you’ll find 14 sections that your business will be assessed on. The NIST expects you to be compliant in each of these sections in order to achieve complete NIST compliance and continue your DoD contracts.
You’ll need to limit who can access different parts of your network. The other piece is to ensure CUI is going to the right places that have the correct authorization.
The most robust cybersecurity system is still susceptible if the employees aren’t aware and properly trained. The owners, managers, admins, and all personnel need to be properly trained and aware of cyber threats, as well as their role in preventing them.
Routine auditing and accountability will protect your business. Be sure to collect and review the logged events from users. You should have a system that creates audit logs that you can use during investigations and for reporting.
All devices on your network should be configured to meet the security requirements you have in place. Blacklisting, whitelisting, and preventing the download of nonessential programs are all critical.
This section refers to a means of knowing who is using your devices and verifying their identity before they gain complete access. This prevents the wrong person from accessing the wrong place.
Your response to an incident should have a written operation. All incidents should be reported, tracked, documented, and shared with the authorities.
Performing routine maintenance is one way to ensure your policies are up-to-date. You can also make sure the physical devices and equipment are operational and meet all of your policies.
Media can refer to physical or digital data. Protecting all of your media is one way of containing your CUI. All printed media should have its classification printed directly on the sheet, even if it’s unclassified. Media like USB flash drives should be controlled or banned, depending on the sensitivity of your data.
No individual should be able to access your system without getting screened ahead of time. After being terminated or transferred, personnel should not be able to access any CUI they previously had access to.
Only authorized users should be able to physically access the media onsite. Any visitors should be escorted and have continuous monitoring, especially if they come near any physical media storage. Physical access to places like storage closets or server rooms should have an audit log of who came in and when they left.
You should periodically perform a risk assessment. Part of the assessment includes looking for vulnerabilities in your system and remediating them immediately.
In addition, you should perform security assessments. These are aimed to assess the securities you have in place, understand how viable they are, and adjust them accordingly.
Communication that happens internally and externally should be monitored, protected, and controlled. Unauthorized and unintended transfers of information should be prevented altogether.
Finally, your business should identify, report, and correct any system errors as soon as possible. When an unauthorized user is spotted, they should be identified and dealt with.
Understanding how to gain and keep NIST compliance is essential to manufacturers in the supply chain, service providers and any contractor or subcontractor that works with the DoD.
We reviewed what compliance is, what the NIST does, some benefits of gaining compliance, and 14 ways to do so. If you’re like most small businesses, you understand NIST compliance but don’t have the time, money, or resources to build and manage a compliance program in-house.
That’s where cuick trac™ can help.
Our team of NIST compliance experts spent over 4 years engineering cuick trac™, the most robust, done-for-you NIST 800-171 compliance product in the market.
We’ve partnered with the most trusted third-party security providers to build a pre-configured, virtual enclave that provides end-to-end encryption for CUI, a DFARS/NIST 800-171 compliant firewall, multi-factor authentication (MFA) and more features than any of its competitors.
Even better, it’s fully customizable and can be configured in as little as 14 days.
Join us on a quick 30-minute demo to see how cuick trac™ works, and learn if it’s a fit for your organization.
No pushy sales tactics, no email spam, no snake-oil. One of our cuick trac™ product experts will walk you through the features you’re most interested in and answer any questions you have about NIST compliance.