Guest Column | November 14, 2017

MSPs Helping Prepare For NIST 800-171 Compliance Now

By Tyler Hardison, CISSP, Director of Solutions and Innovation, Redhawk Network Security

Will Your Traceability Initiatives Reach Regulatory Compliance?

The deadline for meeting NIST 800-171 compliance is December 31, 2017. Perhaps you are already on your journey, perhaps you are just starting; regardless, compliance must be met by the end of the year. What does this mean for you? The biggest takeaway is this: you have a limited amount of time to make significant progress to ensure your customer’s compliance. This will likely take a focused team of individuals, and possibly a partner with NIST 800-171 experience. Showing appreciable progress by customers towards compliance will help to assuage the regulators.

If your customers contract for the government, you must implement all of the security requirements and controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. If you don’t, you risk losing your contracts, costing your organization millions of dollars in lost revenue:  

“…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…” 

-Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 

What is Controlled Unclassified Information and NIST 800-171?

Controlled Unclassified Information is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with pursuant to and consistent with law, regulations, and government-wide policies,” as defined by Executive Order 13556. CUI is sensitive information, but isn’t actually classified information. For example, flight schedules and itineraries for a military unit, or information maintained by a company regarding the federal government’s uses of advanced drone technology. It’s a blanket term meant to unify the many names that the different federal agencies have for information that meets the above description (e.g. The Department of Defense calls it “FOUO” (For Official Use Only), Department of State calls it ‘SBU’ (Sensitive but Unclassified), Department of Justice calls it ‘LES’ (Law Enforcement Sensitive), etc.). 

NIST SP 800-171 provides security controls for federal agencies to develop business relationship requirements for non-federal organizations that handle CUI.  The required SP 800-171 controls include: 

  1. Access Control
  2. Awareness and Training
  3. Auditing and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communication Protection
  14. System and Information Integrity

Your Goal: Building a Strong Security Network

Achieving full compliance with NIST 180-171 typically takes six to nine months. You can start now with assessments, evaluations, testing, and implementation, in order to meet NIST 800-171 compliance in 2018. Achieving compliance will help you establish the fundamental security building blocks for a mature security program in the long run. Your efforts to ensure that your policies, procedures, and security plans are in place will better positioning you for 2018 and beyond.  

Getting in compliance shape at any time is no easy feat.  Whether your organization needs a risk assessment, help meeting regulatory requirements, or needs complete end-to-end security and network heavy lifting, Redhawk Network Security can help.

Read Part 2 Here

About the Author:

Tyler Hardison, CISSP, Director of Solutions and Innovation, Redhawk Network SecurityAs Director of Solutions and Innovation at Redhawk Network Security, Tyler Hardison is responsible for developing solutions for clients with the Solutions Architect team. He is also responsible for leading Redhawk’s innovation and developing new service solutions. Tyler is also responsible for leading the development team on the CyberSecurity Portal. Tyler is a 12-year veteran of technology management in the financial services industry. Rising from helpdesk to become CIO of a $3 billion Credit Union in California, Tyler has been at the forefront of the regulatory changes and the tools necessary to keep up. Tyler has a CISSP and is a PCI Qualified Security Assessor.