NIST 800-171 Assessment Services
Background
If your company is a US government defense contractor, you are likely already on contract to comply with National Institute of Standards and Technology (NIST) SP 800-171. This information security standard codifies the requirements that any non-federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. There is no certification process for NIST 800-171 so compliance has always been by self-attestation, meaning that each organization conducted its own internal assessment (or paid for one to be performed by a third party) and then signed off regarding its compliance to the Department of Defense (DoD).
To document implementation of NIST 800-171, the contractor must develop and maintain a System Security Plan (SSP) that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. However, there is more to compliance than just creating documentation. There are a number of technical controls that must be implemented to become fully compliant with NIST 800-171. If implementation of the security requirements is not complete, companies must develop and execute plans of action to describe when and how any unimplemented security requirements will be met.
Ramping up Oversight and Enforcement
Due to the mediocre results of the self-attestation approach, the DoD is ramping up NIST 800-171 compliance enforcement. This is prompting many companies to take a hard look at their current security postures and what will be needed now and in the near future to participate in new DoD contracts. Contractors who fail to comply with the NIST standard may soon find themselves at a significant competitive disadvantage. And since contractors submit applications for payment that certify that they are compliant with the terms of the contract, failure to comply could turn every pay application into a civil False Claim Act violation. Organizations implementing NIST 800-171 from scratch should plan for at least six months to become compliant. Writing policies, integrating and deploying multiple solutions, and making the necessary culture changes are all efforts that take time.
An External Assessment Can Help
NIST 800-171 compliance has been a requirement for all DoD contractors processing CUI since 2017, but that doesn’t mean they follow it or even understand it. For smaller companies with limited bandwidth, it may be in your best interest to have a professional compliance organization perform your assessment and provide a gap analysis. An external assessment of your current cybersecurity posture can help you understand which of your security practices are already in good shape and which need more work and attention from an implementation perspective. Assessments typically start with data discovery to include technical scans, policy reviews, personnel interviews, and other inputs. Each security control is then validated in order to determine the effectiveness of its implementation. The resulting gap analysis will facilitate your organization’s development of a remediation plan, which will provide a roadmap to compliance.
Whether you are starting from scratch or perhaps just need an external assessment to validate your most recent internal audit, we have the expertise to help. For additional information on our information security assessment and advisory services, including NIST 800-171 guidance, schedule a free discovery call today.
NIST SP 800-171 Assessment Methodology Version 1.2.1 6.24.2020
The Procurement Lawyer, Volume 55, Number 3, Summer 2020