Is your company looking to meet NIST 800-171 requirements to grab that big contract? Well, let us help you understand what NIST 800-171 is and how it can help your company gain new contracts.
The NIST 800-171 publication defines the government requirements for the protection of controlled unclassified information, or CUI in non-federal systems and organizations. What it means is that the government now requires companies that would like to conduct business with the US government, also known as government contractors, meet a set of security controls on their corporate network to ensure they protect sensitive government information.
NIST 800-171 outlines 110 security controls that must be implemented on your computer systems and corporate network before you can bid on government contracts. For folks who don’t know what security controls are. Basically, security control is a countermeasure or safeguard that is implemented to avoid attacks, counteract or minimize security risk to physical property, information systems or other assets. An example would be password requirements. Everyone knows that computer systems can be password protected. But did you know that you can add more security measures to ensure that your password is harder to crack? e.g. let’s say your password is 12345 which continues to be the top password used by most users. Due to simplicity of the password, it takes a few seconds if not less for a computer to crack this password. One way to avoid this risk would be to force your users to set complex password. e.g. 12 or more characters, combination of letters and numbers and symbols and changing your password on regular basis. Adding such control forces the users to meet these security requirements, and this password is much harder to crack.
Now what is CUI? Well, Controlled unclassified information is a category of information defined by the U.S. federal government. Abbreviated as CUI and often pronounced “kyooie” (rhymes with “phooey”), controlled unclassified information is government-owned data that requires certain security controls to safeguard it from unauthorized access. Basically information that is not classified but could be considered sensitive and could provide a security risk to the government if disclosed to an unauthorized individual.
So how do you prove your compliance to NIST 800-171?
Well first, you need to ensure that your procedures are thoroughly documented. You will also need to monitor and document any changes and updates during the life cycle of the affected computer systems and network devices. There are two documents you can use to prove your compliance. The first document is the system security plan or SSP and the second is the plan of actions and milestones or POEM. The SSP is a detailed description of your security controls you have implemented on your network. Each organization will have different plan because there are multiple ways to meet each of the security controls. For example a control could be to place a firewall on your network and there are numerous companies that build firewalls and each provides different levels of security. Also, they should all be manually configured. So, most companies will have a different configuration and still be compliant.
The POEM is just what the name states it is a plan for your network that details how you will meet any of the security controls you do not currently have a solution for at the time of the assessment or any discrepancies that were found during the assessment. The POEM provides dates as milestones to show when you plan to have your network compliant. The key to security control implementation is not to prevent a data breach but to make your system less of a target much like an alarm system on a bank. If you have three banks within a mile of each other and one is secured with locks, the next is secured with locks and alarm and the third has locks, alarm and security guards. Which one would likely be targeted by criminals? Cyber defense works in the same manner. Any computer system can be hacked. The key is to make your system more difficult to penetrate.
What is CMMC?
CMMC is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It is a unifying standard and new certification model to ensure that DoD contractors properly protect sensitive information.
The U.S. government provided cybersecurity guidance for contractors for many years, but there was no way for contractors to prove how strong their cyber programs were. CMMC introduces a new set of certifications, conducted by third-party assessors. Contractors must achieve certification before they can win future government contracts.
Hope this gives you basics understanding of what NIST 800-171 is and how it can help you beat the competition. We will be publishing some tools that will assist you to comply with NIST 800-171.