July 22, 2021
Earlier this year on our social media channels, we posted about the new DFARS rule and the new NIST “Basic Assessment” requirement that the rule includes. In order to reach a perfect “score” of 110, companies vying for a government contract need to meet every requirement outlined in NIST 800-171.
Because NIST 800-171 is so essential for government contractors, we’re putting out a quick overview and refresher on the subject for readers who are unfamiliar with NIST compliance, as well as sources for some of the more recent updates to NIST standards.
What is NIST?
Officially, the National Institute of Standards and Technology is a non-regulatory government agency that develops technology, metrics and standards to drive innovation and economic competitiveness in U.S.-based organizations in the science and technology industry. As part of this effort, NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act, or FISMA. NIST also assists those agencies in protecting their information and information systems through cost-effective programs.
Essentially, NIST guidance provides a set of standards for recommended security controls for information systems at federal agencies. These standards are endorsed by the government, and companies comply with NIST standards because they encompass security best practices controls across a range of industries.
Why comply with NIST?
The short answer is: You have to. Or rather, at least, if you hope to land a contract with the DoD, you should strive for that all-important score of 110 on your NIST scorecard. But more than that, organizations of all types are increasingly subject to data theft and loss — whether the asset is customer information, intellectual property or sensitive company files.
IT is not security, and security is not IT. Information security is about trying to protect information, while IT is about information sharing. You must have IT, and you need security, otherwise you’re only doing half the job. It’s about finding the balance between the two. You need a comprehensive set of standards, methodologies, procedures and processes that align policy, business and technical approaches to address cyber risks and protect both your organization and your customers. That’s where NIST comes in.
What are the latest NIST guidelines?
The original version of SP 800-171 first appeared in 2015 and provided 110 recommended requirements to ensure the confidentiality of Controlled Unclassified Information, or CUI, residing on the computers of contractors and other organizations that interact with the government. The original document, titled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, now has a new draft companion publication, NIST SP 800-171B, that offers additional recommendations and enhanced controls for CUI in situations where that information runs a higher-than-usual risk of exposure. DoD contractors that are considering implementing enhanced controls should note that “the enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.” CUI includes a wide variety of information types, from individuals’ names and Social Security numbers to critical defense information.
By adopting the NIST framework, you are taking an incredibly important step toward securing not only your business, but the privacy and trust of all who do business with you. Contact us to ensure your organization is meeting those standards.