By Jason Vivier, CEO, Neuron Security Solutions
Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204.7012 mandates that U.S. Department of Defense (DOD) contractors and subcontractors must achieve NIST 800-171 compliance by December 31, 2017. This imminent start date for requirement fulfillment – intended to protect the government’s controlled unclassified information (CUI) – is presenting both a crisis and an opportunity for DOD subcontractors and security-oriented MSPs alike.
NIST 800-171 is comprised of 110 technical controls, which reach across an entire organization in terms of their security policies and procedures. The largest DOD contractors – the likes of Lockheed, Raytheon, BAE, and others – have taken this regulatory requirement extremely seriously and are preparing appropriately. However, many (and likely most) DOD subcontractors only began acknowledging their duties under the law in recent months, when they received letters from their contractors asking if they would be compliant by end of year.
The contractors are using those letters for two purposes: first, to get formal statements from subcontractors confirming their compliance (in order to absolve themselves of risk), and second, to determine which suppliers they’ll continue to rely on in the new year once the compliance requirements go into effect. Contractors are now in the process of sorting their current subcontractors into two categories – those that will be compliant and those that won’t – and then figuring out which compliant companies to grant the business that used to go to the non-compliant ones.
All of this makes NIST 800-171 compliance an unmistakably huge opportunity for these subcontractors, who stand to increase their business by making the necessary investments for meeting the regulations. It’s also a clear opportunity for MSPs capable of assisting with this compliance, or willing to acquire the specific wherewithal to do so.
The stakes for subcontractors are sky high, especially those that aren’t truly compliant going into next year. If a breach of government information occurs at an organization, audits, fines and even criminal penalties are likely to follow – and that company is unlikely to last. As unprepared organizations bow out, this regulatory enforcement is bound to create a shortfall in compliant suppliers able to fulfill government contracts. Over time, the totality of these contracts and government dollars involved will go to companies that are compliant – and, in turn, to the MSPs that help them get there.
However, it’s important to understand that providing NIST 800-171 compliance isn’t like other traditional services MSPs provide. It requires specialized technology, but most of all it takes specific involvement and understanding of each individual client. Applying a cookie cutter approach in a hands-off manner simply won’t get the job done. On the upside, MSPs capable of overseeing NIST compliance can charge clients over 300% more per protected endpoint, due to the complexity involved and the greater range of services necessary.
A typical MSP might provide network security monitoring, anti-virus protection, cloud backup of essential files, and phone-based technical support. In comparison, NIST 800-171 compliance goes much further and requires device-level encryption, two-factor authentication, employee training, 24/7/365 network security monitoring, compliant cloud and local backup, policy generation, onsite support, technical secure engineering, patch management and testing, and complex network-level configurations. Because NIST 800-171 has such strict controls on any change to a network, the MSP more or less needs to take over IT management for the client and act as an internal resource. When any environmental change or upgrade occurs, it’s necessary to test all updates, patches or new equipment, perform a risk assessment, and assure that the network is secure going forward. To achieve all of this, an MSP needs security managers, engineers, and analysts able to provide these services – certainly justifying the higher price per endpoint. At the same time, the client benefits from this investment because they possess the rare and sought-after compliance that enables their business to thrive, while the MSP earns a more engaged and profitable client relationship.
All that said, delivering on NIST 800-171’s technology requirements is fairly low hanging fruit for most MSPs. Solutions can be implemented to provide two-factor authentication and similar needs – for example, we use Beachhead Solutions’ SimplySecure for encryption and device-level security because it also offers the ability to remotely quarantine or delete data from compromised devices (thus allowing us to bypass whole sections of the incident response plan and reduce costs to the client in the process).
Arguably the bigger challenge is in managing the policies and procedures, and the ongoing training required to maintain compliance. NIST requires that employees and those tasked with securing the network all receive ongoing security awareness training in line with their given job roles. For our own firm, we’ve found Breach Secure Now! to be a capable platform for managing this training and requiring confirmation that staff members have indeed read the policies designed for them. As an MSP providing NIST 800-171 compliance, it’s a necessity to understand where insider threats may come from: individuals or departments that don’t excel in their training may be good candidates for limited access, etc. Robust training in security policy has an added bonus, as employees with a strong understanding of risk serve to reduce the likelihood that the MSP will need to interfere (helping reduce expenses).
The close familiarity that any MSP must have to properly serve DOD subcontractor clients – continuously testing for compliance after any change within the client’s environment, understanding the personnel, etc. – is doubly advantageous in that it results in both a never-ending supply of work, and provides strong incentives for clients to retain the MSP as a long-term partner. In the end, achieving NIST 800.171 compliance doesn’t come down to using a certain piece of software or taking training class, because it’s not that simple. It covers everything about a network, and requires maintenance and ongoing care. MSPs that have made the investments to truly possess these capabilities will see tremendous dividends, and should expect a lot of calls this December 31.
Jason Vivier is CEO at Neuron Security Solutions, an MSP providing DFARS/NIST compliance and simplified IT support.