5 Steps for 800-171 Compliance in Washington DC
Steps for 800-171 Compliance in Washington DC
If you do contract work for the Department of Defense, you’re required to comply with the National Institute of Standards and Technology’s Special Publication 800-171, or NIST SP 800-171.
In order to gain 800-171 compliance, you must meet specific security controls to protect Controlled Unclassified Information (CUI).
The deadline to adhere to 800-171 came and went nearly a year ago, so if you have yet to meet the requirements, you could face legal action or otherwise have your contract terminated.
With 110 controls in fourteen different families, where do you begin? The following five steps will help your Washington DC business make a strong start at gaining compliance.
An essential first step in applying 800-171 controls is to identify all systems within your network that contain CUI.
Since 800-171 applies specifically to CUI, locating this sensitive information in your network can create a more manageable project scope for executing the control families in the publication.
Once you know where CUI is housed, it’s time to organize.
It’s a good idea to separate sensitive information from non-sensitive information when it comes to 800-171 compliance.
Organizing data to keep CUI and public information as separate as possible can make upholding 800-171 regulations that much easier. You won’t have to apply the controls to information that doesn’t need it; meanwhile, sensitive information can be secured.
Keeping CUI separate can also allow you to have better control over user access.
Now that your information is categorized correctly, this is a good time to implement the access controls outlined in 800-171.
According to the publication, authorized users should be the only ones with access to CUI. In addition, you may consider restricting access to sensitive information once it’s no longer needed.
Encrypting your data will help you gain compliance but won’t prevent the people who work with CUI from retrieving necessary information, making this a smart step as well.
One of the requirements for 800-171 compliance is providing trainings for all employees centered around security awareness.
Employees should know how their actions impact the network security of your DC business. One of the biggest security threats to an organization is its employees who don’t realize that their daily activities affect the safety of the network and its data.
Staff should be aware of security best practices as well as actions that could put data in jeopardy. Your team should also be able to identify basic security risks such as a phishing email.
Monitor and Assess
Your Washington DC organization should monitor data such as who’s accessing CUI, what they’re doing with the information, and be able to connect actions to individuals.
800-171 dictates that you continue to evaluate the security of your networks. You should monitor and assess what information is accessed, by whom, and who they have shared this information with.
By consistently reviewing your applied measures, you can help ensure the effectiveness of your network security and maintain compliance.
Do You Still Need to Gain Compliance?
If you missed the December 31, 2017 deadline to follow all 110 controls, you’ll need to comply with the standards or suffer the consequences.
Fortunately, with these steps, you can begin to secure CUI and fulfill your government contracts. Many DC businesses have found that working with an experienced provider can help them gain compliance faster and more comprehensively.
You don’t have to sacrifice productivity or accessibility just to accede to 800-171 requirements. Consider working with IT professionals who have helped other contractors like you to secure their data and protect their contracts with 800-171 compliance!