What do you know about NIST 800-171?
A hot topic in US Government contracting today is about NIST 800-171. The threat to business operations has never been greater. In 2016 we had the Russian Hacking of the Democrat National Committee computers, Presidential Candidate Hillary Clinton using a private server and the alleged Russian Hacking of the U.S. Election. Wow, is cybersecurity something you should be resolving now?
History of NIST SP 800-171
Since the Information Technology Management Reform Act of 1996, the U.S. Government began pushing federal agencies to protect computing systems. This act resulted in the development of Federal Information Processing Standards
(FIPS) by the National Institute of Science and Technology (NIST).
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 Minimum Security Requirements for Federal Information and Information Systems
FIPS 140-3 Security Requirements for Cryptographic Modules
These standards were applied in most sensitive U.S. Government Agencies by 2001, yet they were not enough. Congress acted again with the E-Government Act of 2002 better known as the Federal Information Security Management Act of 2002 (“FISMA”, 44 U.S.C. § 3541). The act was meant to bolster computer and network security within the federal government and affiliated parties (such as government contractors) by mandating yearly audits.
FISMA SAYS FOLLOW FIPS
FIPS 200 Minimum Security Requirements for Federal Information and Information Systems states that a controlled entity must follow is in NIST SP 800-53 – An Index to Controls. It has 17 Security areas covered under confidentiality, integrity and availability (CIA).
NIST Special Publication 800-53 (NIST SP 800-53) is a publication that recommends security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security.
There is no segment that was left un-scathed from breaches, attacks, or disruption. Dozens of hospital patient record databases have been breached, multiple fortune X corporation’s customer data has been exposed, and government security clearances have not stopped the hacking. US Politics has been turned upside down due to the attacks and public concern. Credit card data has been dispersed and re-used and private personal identification information is at risk for all to be reused by criminals.
It is obvious that the pace and intensity of attacks is going to increase in the future, as virtually every terrorist group, criminal organization, or rogue nation state realizes the enormous profit potential and source of disruption the attacks create. The United States as a whole is woefully unprepared for this level of attacks.
CUI – NIST 800-171 Executive Order
In 2012, President Obama signed Executive Order 13556 Controlled Unclassified Information on November 4, 2010. This order establishes a government-wide Controlled Unclassified Information (CUI) Program to standardize the way the Executive branch handles unclassified information that requires protection and was placed by NIST into a regulation known as NIST 800-171.
Federal CUI rule (32 CFR Part 2002) establishes the required controls and markings for CUI government-wide. NIST 800-171 defines the security requirements for protecting CUI in nonfederal information systems and organizations. Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST 800-171 to contractors.
Very few successful attacks on government or corporate targets are a result of technology failure. Most are a result, or heavily influenced by, 1) failures in compliance to policy and procedure; 2) inadequate or obsolete employee training and monitoring; 3) Gaps or holes in policy between multiple security disciplines that provide areas open to exploitation.
The US Government, recognizing that government contracts and contractors manage, maintain, or control the majority government systems and data; and responding to Executive Order 13556; Federal Information Security Modernization Act (FISMA) of 2014; 32 CFR Part 2002, Controlled Unclassified Information; 44 U.S.C. § 3541 et seq.; and Public Law (P.L.) 113-283; developed the federal standard NIST 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.
While this is not a new standard for 2016, the effects of the standard will be felt by every existing or new federal government contract holder. The standard is now being implemented on certain DOD and other US Government Contracts as DFARS 252.204-7012. Many government agencies are now directing contract officers to add the standard on all new contracts awarded until that inclusion occurs. This means that US Government Contractors now have this requirement, DFARS 252.204-7012, imposed on their operation and subsequently are flowing this down to certain sub-contractors. Many small to medium-sized companies are now grappling with:
“What do I do about DFARS 252.204-7012 compliance?”
A quick read of the standard reveals the massive new requirements and reporting burden that it places on government contract holders, as well as the regulatory and auditing requirements for government agencies awarding contracts. This regulation and the resulting activities on both the contract and contractor side add in heavy cybersecurity control elements that few agencies or organizations are prepared to address.
As the threat is immediate and intrinsic to every organization, the driving force behind this regulation, and the will to enforce compliance, is not a fad that will diminish or fade into regulatory oblivion. Every government agency, contract holder, or contract seeking entity must begin to discuss, and plan the best means and methods to rapidly and efficiently adopt best practices in GRC to meet NIST SP 800-171. The risk is real, the impact is now, and the cost is felt daily by every citizen.
NIST 800-171 Solutions
CVG Strategy is equipped to help you navigate this new requirement and help you implement an ISO 27001:2013 Information Security Management System (ISMS) all the way to certification. ISO 27001 ISMS satisfies the requirements for DFARS 252.204-7012 and NIST 800-171.