How NIST SP 800-171 Impacts Cybersecurity and Cloud-Based Services
  • How NIST SP 800-171 Impacts Cybersecurity and Cloud-Based Services
    How NIST SP 800-171 Impacts Cybersecurity and Cloud-Based Services

    How NIST SP 800-171 Impacts Cybersecurity and Cloud-Based Services


    The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 1, better called NIST SP 800-171, is for contractors and subcontractors of the government. This cyber clause applies to all internal contractor information systems.


    NIST SP 800-171 is best described as a standardized set of requirements for cybersecurity. Divided into 14 different control families with 110 controls, these new regulations are making cybersecurity requirements for government contractors easier to implement and more concise.


    NIST SP 800-171 is designed to protect classified defense information (CDI) in contractor information systems. How will this cyber clause impact cybersecurity and cloud-based services? We uncover what impact these new guidelines will have.


    Step Up Your Cybersecurity


    information systemsNIST SP 800-171 is good news for organizations that already meet most of these security standards, as they’ll have little to do to fully meet the requirements. Some contractors, however, will need to play catch up.

    If you maintain a nonfederal information system, you’re considered a nonfederal organization and are subject to the regulations outlined in this clause. Such organizations may include state and local governments, colleges, and contractors.

    The effect of NIST SP 800-171 on organizations may be significant, especially if your organization fails to implement basic security measures.

    This cyber clause essentially helps organizations to have a standard security plan in place. No matter what size your business is, it’s important to have security measures that are ever-evolving to keep up with the demands and changes of IT. Making this security plan and implementing these changes can help you think about your cybersecurity on a universal level. Through this practice, you can bring many elements of your security plan into one documented place.

    NIST SP 800-171 essentially provides the foundation for your company to get on the required cybersecurity level for all government contractors. If you don’t have adequate security measures currently in place, these new regulations will help advance your security plan.

    Your information assets are important to protect. You should document your systems, their respective operative environments, internal and external boundaries, and descriptions of how security measures are implemented to meet the requirements of the clause.


    Cloud-Based Services Regulations


    cloud serviceCloud-based services need to be in line with Defense Federal Acquisition Regulation Supplement (DFARS) 252.239-7010, which requires that cloud security be in accordance with the Cloud Computing Security Requirements Guide (SRG). All cloud-based data must be stored in the United States unless the contracting officer grants approval otherwise.

    The SRG provides baseline security requirements for cloud service providers (CSPs) that host any type of DoD information. These should be guidelines that CSPs are already using, so the measures outlined in NIST SP 800-171 won’t come as a surprise. These requirements function as a common starting point for both CSPs and other government contractors to ensure everyone is on the same page.

    It’s required that government contractors be in accordance with this cyber clause—whether you host cloud services for the DoD or perform other work on systems that contain CDI—by December 31, 2017.


    The Impact


    NIST SP 800-171NIST SP 800-171 will help strengthen cybersecurity as it forces organizations to take a hard look at their current security measures and implement universal controls. Although CSPs will likely already have these measures in place, many nonfederal organizations lack basic cybersecurity measures and need to improve their security.

    Organizations will come to understand that the basic requirements outlined in the clause don’t make for a concrete security program; rather, that security is changing all the time and organizations will need to constantly adapt to daily threats accordingly. Through the implementation of these regulations, businesses can become more familiar with their cybersecurity practices and work to minimize their risk of a breach.

    It’s the hope that these new regulations will help organizations make this collective first step at implementing these measures and get on board with adequate security, regardless of what their contracting work involving CDI entails.

    Are you a nonfederal organization that’s required to meet these requirements by the December 31 deadline? Don’t get left behind; it’s imperative that you implement these measures as soon as possible. If your organization hosts any DoD information that’s considered CDI, work with security professionals to implement the measures before it’s too late!