Cybersecurity is on top of many minds these days, as it should be. There have been so many cyber intrusions that it seems fruitless to list any at all. Intrusions, or hacking, affects organizations big and small, but there are things that those businesses can do to address the reasons those intrusions are successful. Luckily, the federal government has started requiring cybersecurity standards of its own agencies and of its contractors and subcontractors. This comes in the form of National Institute of Standards and Technology (NIST) 800-171 compliance. This is based on Special Publication 800-53, which is a mere 400+ pages long. Maybe “luckily” isn’t the right word, but there are many “good practice” types of things that businesses and government can put in place. Though time and time again we see that it has not been done. Compliance is usually a real pain to deal with, but in the case of NIST 800-171 it is pretty close to the mark of what needs to be done.
How did we get here?
Originally, contractors and subcontractors were to be compliant by the end of 2016. After much caterwauling by contractors, the federal government extended the deadline to December 31st, 2017 – the end of this year. To tell you the truth, they probably had a reason to “caterwaul”. There was not a lot of good guidance of what exactly needed to be done. There is more now, but you must dig to figure out what to do, and most of these businesses don’t have the technical expertise to take care of it. These are the small businesses that make up America and provide most of the jobs to Americans. Now they must put yet one more hat on and become tech experts or contact someone to help them become compliant.
It all boils down to CUI! Yes, CUI. CUI is Controlled Unclassified Information. In other words, information that is not secret, but that companies should nonetheless keep safe and out of the hands of our enemies – and our friends. This means you should have policies in place, verified security at many levels, logging, auditing and all the stuff that helps keep information safe. Then you need to know how to tell the government that you have it in place. You must also have a plan to respond to and report cybersecurity incidents.
Emphasis on Cybersecurity, YAY!
Good for the Federal government on requiring actual security! But as always, they don’t make anything easy. Then again, it really can’t be. There are so many contractors and subcontractors that one size does not fit all. That really is one of the reasons that any compliance, be it HIPAA, PCI, SOX, or NIST 800, takes some “decoding” and someone that understands how to interpret the standards and implement them.
Should you need any help with NIST 800 Compliance, drop us a line using the contact form below.