NIST SP 800-171 Compliance Solution Northern Virginia, DC, MD
NIST SP 800-171 Compliance Solution DC, MD & Northern Virginia
Federal contractors, subcontractors, and service providers in Northern Virginia, DC and Maryland doing business with the Department of Defense face a looming December 2017 deadline to meet NIST SP 800-171 compliance regarding their information systems.
NIST designed that standard to protect from public disclosure all controlled unclassified information (CUI) and DoD Covered Defense Information (CDI) generated by the Federal government. CUI and CDI include any information that law, regulation, or government-wide policy requires be secured through safeguarding or disseminating controls. For DoD purposes, that information encompasses, “[n]ewly created, revised, or previously unmarked unclassified technical documents generated or managed by all DoD-funded research, development, test, and evaluation (RDT&E) programs.” It likewise involves “any recorded information related to experimental, developmental, or engineering works that can be used to define an engineering or manufacturing process or can be used to design, procure, produce, support, maintain, operate, repair, or overhaul program material.” Regarding NIST SP 800-171 compliance, there are several examples of information that fall within scope: research and engineering data, engineering drawings, computer software documentation, data sets, studies and analyses, specifications, standards, and related performance and/or design documents.
Federal Contractors, Subcontractors, and Service Providers
Pursuant to DFARS 225.204-7012, private sector organizations that process, store, or transmit CUI and CDI must implement NIST SP 800-171 by year’s end. This is no small feat. The standard consists of 110 security practices that accord with 14 separate categories of confidentiality-focused security requirements. They cover access control, awareness and training, audit and accountability, configuration management (baselines for security of hardware and software), identification and authentication (of users and devices), incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Adopting controls to successfully satisfy each of these obligations requires significant amounts of time, money, and know-how.
DFARS 252.204-7012 and NIST 800-171
Unfortunately, many small businesses lack all three. One Federal effort to verify an OPM contractor’s compliance with NIST SP 800-171, for example, involved the efforts of 10 employees over a two-week period. It cost the government some $150,000. Current bids from large consulting firms for a NIST SP 800-171 compliance work package typically start at $160,000. While effective security should be everyone’s goal, pursuing traditional compliance approach such as these are akin to a mom-and-pop enterprise hiring a major accounting firm to do its taxes when all it really needs is TurboTax™. Without a better alternative, small businesses are at serious risk of being shut out of contract opportunities with DoD altogether.
Solvere One ASSET™ Making Compliance Affordable
ASSET™ is the TurboTax™ equivalent for NIST SP 800-171 compliance. It is an affordable, easy-to-use software solution that provides truly automated, continuous, and real-time awareness of an organization’s compliance and security status. It makes NIST SP 800-171 implementation a snap for businesses of every size and specialty at a fraction of the cost. Solvere One experts are highly knowledgeable and well-trained in ASSET™ deployments. They can help small businesses not only rapidly meet their NIST SP 800-151 compliance requirements, but also establish themselves as best-in-class security performers over the long term.