If you work for a company that deals with government agencies, you may have heard of the NIST, or The National Institute of Standards and Technology. The NIST has its own unique set of standards by which certain companies and organizations must comply.
These cybersecurity guidelines, implemented by the U.S. Department of Defense (DOD) and the Defense Federal Acquisition Regulation Supplement (DFARS) are a point of stress for many organizations, and rightfully so. In fact, ensuring compliance with current NIST standards is among the top priorities for a number of industries in the tech game today, including those in universities, consulting companies, research institutions, manufacturers, and others. If you work within one of these industries and are contracted in any capacity by the DoD, you may do well to familiarize yourself with the most recent NIST standards to ensure you are safe from the consequences of failure to comply.
What Do You Need to Know About NIST Guidelines?
Over time, the NIST, has worked to require additional standards for the processing, storing, and transmission of defense information. The new guidelines seek to promote the protection of “Controlled Unclassified Information,” or CUI, which is defined as government information that, while unclassified, still requires safeguarding. Therefore, the NIST has put into place a specific set of processes, listed in NIST Special Publication 800-171, to ensure government information is protected at all times.
If your company has plans to work with the DOD in the future, you’ll need to take the required steps to ensure you meet the guidelines of the NIST 800-171 mandate. Sections 3.1 through 3.14 of the guidelines contain 109 requirements that companies must meet to comply, though it may have proved difficult for many to meet all 109 by the December 31, 2017 deadline. To address this, the Federal Government typically expects companies to come up with a game plan to earn compliance within a reasonable time frame. Failure to comply may result in your company’s removal from the approved vendors’ list.
There are a few questions you may ask yourself if you’re concerned about whether or not your organization is subject to NIST standards. Simply put, if your company currently holds a United States federal contractor is currently listed as a supplier on a United States federal contract, you likely must answer to the NIST.
Here are a few additional questions that may serve as an indicator of whether or not your company should be concerned about compliance:
- Is your company’s access to CUI contained and reliably isolated?
- Is the CUI controlled? Things like the CUI’s physical location, internet network, authentication factors, and infrastructure all come into play when ensuring the CUI is accessible only to authorized parties.
- Does the site have substantial information technology practices?
- Are backups being maintained?
- Has credible antivirus software been installed?
These are the types of practices subject to the NIST’s guidelines.
What Are Some Common NIST Compliance Myths?
While NIST compliance is vital in a variety of different industries, there are some myths circulating that may make it difficult to know for sure whether compliance has been met. Here are some of the most common myths regarding NIST Compliance:
NIST Compliance Is Too Expensive.
There may be costs associated with becoming NIST compliant, but that doesn’t mean doing so has to cost a fortune. You may not require the help of a large consulting company. Make sure to do your due diligence before committing.
My Company Is Too Small To Worry About NIST Compliance.
Companies of all sizes may be subject to NIST compliance. These guidelines don’t just apply to direct manufacturers, but also any subcontractor currently selling to one of the government’s suppliers. Although your company may not depend on business with the DoD, you may not want to rule yourself out down the line. This is what makes NIST compliance so important for businesses both big and small.
There’s Not Enough Time For Us To Become NIST Compliant.
While there are consequences to not meeting compliance by the aforementioned deadline, it’s still not too late to strive for compliance.
What Steps Can My Business Take To Prepare for DFARS Compliance?
To meet the requirements set forth by DFARS, you’ll need to follow a few steps:
Create A Security Controls Traceability Matrix
If you’re hoping to demonstrate compliance, you’ll need to do it across the system and identify areas of weakness. It’s important to identify every component within your unique system that may be subject to guidelines. Each of these should be mapped out using a simple matrix to ensure accountability.
Pinpoint The Gaps
Your matrix should provide a valuable glimpse into where gaps in compliance may lie. Once you have it, it’s time to investigate where these may be affected in the system.
Visualize And Execute Your Game Plan
Once you’ve determined the gaps, you should develop a strong gap remediation plan that will explore how and when each gap will be fixed and what types of resources you’ll need to achieve this, then put your plan into play. Be sure to document how the gaps have been addressed, as well as be prepared to present data as evidence of your compliance.