NIST 800-171 Compliance for Small Business

Small organizations that are working on military platforms…or hope to in the future…face a difficult challenge.   Late last year, the Department of Defense (DOD) implemented a DFARS clause (204.252-7012) that requires compliance with a cyber security standard called NIST 800-171.

The standard is focused on a specific set of data referred to as Controlled Unclassified Data (CUI).  At a high level this data includes design specifications, product material data, and procedures used to engineer, test, and manufacture both land and air-based military platforms.   It has 110 requirements that include a mix of technical and process controls focused on protecting CUI.   An organization’s inability to comply with the requirements effectively serves as a barrier to entry for working in the industry.  Many proposal solicitations are requiring compliance with the standard as a qualifier for bidding on a project. 

No-Nonsense Approach

So, where do you begin?  For small companies, meeting NIST 800-171 requirements can be especially difficult…but there are a few simple steps that can simplify the process.

1)     Minimize the “footprint” of CUI data.  In other words, try to keep the physical and virtual versions in common storage areas.   Keep it off individual desktops/laptops and on a consolidated server.

2)     Do not use email to exchange CUI data with partners, vendors, or customers.   Utilize secure data exchange frameworks that are available from most tier 1 vendors.

3)     Leverage commercially available templates for process content (policies, incident response plan, awareness training, System Security Plan). 

4)     Have a 3rd party help you with areas of the NIST standard that require clarification.  Most consulting firms are open to answering some questions without charging for a full engagement.   Be honest and tell them that you don’t really need help but had a few questions you were hoping they could answer (but keep it to 1-3 total questions).  

Immediate Action Items

Near term, the most important details to complete are the system security plan (SSP) and plan of action (POA).  The SSP defines scope and approach for compliance while the POA provides a timeline for addressing identified gaps.  Both items were due for completion at the end of 2017.  Online resources like the CSET self-assessment tool can help with identifying compliance gaps and developing the remediation plan.   There are also online templates available for the SSP and POA, which can speed up the process of developing and completing the document.    

Keep in mind that the goal of NIST 800-171 is to protect information that is largely digital so many of the required controls will deal with computer and network technology.   If an organization does not have internal expertise to help sort through the technical details, this part of compliance is where money is best invested with external (consulting) assistance to identify gaps and develop a plan to address them.  

Planned Implementation

Once the SSP and POA are completed, the balance of NIST 800-171 compliance is reliant on following the defined implementation plan.  As the project evolves, any unforeseen obstacles or delays will necessitate updates to the POA.  Stay on top of the schedule and track progress accordingly.  Store all related documentation in a common network folder and when the program is fully implemented, plan on conducting an annual audit, risk assessment, and security assessment.   

By Guest Blogger: Rob Cote of Security Vitals