There are more than 100 information security requirements in NIST 800-171. For small-to-mid-sized manufacturers that want to continue to work with the Department of Defense, there is no way around this - you have to comply.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is intended for defense contractors and subcontractors and requires these government contractors to comply and consistently implement safeguards for the protection of Controlled Unclassified Information (CUI). CUI includes secure file sharing and information exchange governance, specifically, how you store, access, exchange and govern sensitive (but unclassified) information. NIST 800-171 applies to all non-federal organizations that work with U.S. government systems and data, meaning the requirements outlined below are in no way limited to defense contractors!
If your company makes sub-assemblies that somewhere down the supply chain are used by the U.S. Government, these requirements pertain to your business.
14 Families of Security Requirements Found in NIST 800-171
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personal Security
- Physical Protection
- Risk Assessment
- Security Assessment
- Systems and Communications Protection
- System and Information Integrity
The Critical Requirements in 7 Easy Steps
A variety of security solutions can be implemented to satisfy the security requirements of NIST 800-171. Manufacturers need to understand their operating environment to apply the security requirements that meet their environment. In many cases, small-to-mid-sized manufacturers may not have the necessary IT structure, staffing or resources to satisfy each security requirement. It is in these cases where it is advised to supplement your in-house cybersecurity with an experienced, independent 3rd party cybersecurity company. With over 100 regulations, it’s safe to say that many SMBs have not thoroughly assessed their compliance to NIST 800-171. As a company that frequently conducts security assessment, we’ve summarized the critical requirements into 7 easy steps to compliance:
1. Assess: Conduct a security assessment that examines all systems, environments and information exchange procedures to assess risk
2. Locate: Identify the systems in your network that hold CUI. This includes local storage on physical equipment such as files and servers, cloud storage, endpoints, and portable and temporary devices such as USB, CDs, hard drives and smartphones.
3. Categorize: Classify all files that fall under the definitions of CUI and separate and tag/label them from information that does not qualify.
4. Limit: Implement access controls so only authorized employees can view, download and share files containing CUI. Set expiration dates to files or folders containing CUI to prevent access after a project has been completed.
5. Encrypt: Encrypt all data, whether in transit or in storage. This adds an extra layer of security and control over your data, the systems holding your data, and finally, the systems transmitting your data. Encrypted data both enables compliance and doesn’t hinder authorized users’ ability to share files through common systems like email, cloud, FTP, and more secure file sharing services.
6. Monitor: Know who is accessing CUI and how they’re using it. NIST 800-171 requires contractors to ensure that the actions of individual users can be uniquely traced so they can be held accountable for their actions, whether malicious or not. Strong information exchange governance should be able to not only track activity like who sent what file to whom and when but also be able to identify any anomalies.
7. Educate: Teach employees on the fundamentals of information exchange governance and best practices. Repeat training at scheduled frequencies to ensure the security of information is a priority. Ensure that all employees are aware of the security risks associated with their day-to-day activities involving CUI. Also, be sure they know what decisions they make that could jeopardize CUI.
Managed Security Compliance - Knowing When it's Time
Sedara’s Virtual Chief Information Security Officer (vCISO) offering is one option that SMBs should consider when evaluating how to ensure continual compliance. Our experienced cybersecurity team has been spent hundreds of hours evaluating the documentation from both NIST 800-171 and NIST SP 800-37 Revision 2 and aligning our compliance and vCISO offering to satisfy each regulation.
What makes our offering unique is the appointment of both a vCISO to direct your program and a Virtual Security Engineer (vSE) to execute your program. Both of these seasoned professionals will define the scope of your managed security compliance program and establish IT security policies, standards and best practices that are in accordance with NIST SP 800-171, NIST SP 800-39 Rev 2 methodologies. Along with Sedara’s expertise, you have the value of an independent 3rd party to help monitor your risk and help manage your cybersecurity, which reduces the single point of failure of internal management.
Contact us to learn more about our Cybersecurity and Risk Program Development Services.