Understanding NIST SP 800-171 Compliance

 

If your organization does any type of business with the Department of Defense (DoD), you must meet the IT security requirements outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, also known as NIST SP 800-171.

The increasing complexity and frequency of cybersecurity threats remain a top concern for businesses of all industries and sizes today. The DoD has taken its security measures a step further and mandated that all their contractors implement the basic IT security practices outlined in NIST SP 800-171.

So what exactly does NIST SP 800-171 compliance entail? We help you understand more about what’s required of your organization to continue working with the DoD and uphold your current contracts.

 

Minimum Security Requirements

 

Many professionals in the IT field agree that the requirements put in place by NIST SP 800-171 compliance are minimal. These requirements are designed to get all contractors that work for the DoD on the same page when it comes to IT security.

The requirements include basic things such as establishing protocol for handling potential security breaches to screening employees before they have access to any type of covered defense information (CDI).

Depending on your organization as well as your field of expertise, you may or may not have many of these controls already in place. Some businesses may already be largely in NIST SP 800-171 compliance while others may need to work much harder to meet the requirements.

 

The Controls to Address

 

In order to be in NIST SP 800-171 compliance, you must have all 14 control families and their 109 specific requirements put in place by the December 31, 2017 deadline or as specified by your Contract Officer.

This means that in order to be in NIST SP 800-171 compliance, you must address the 14 control families outlined in Chapter Three of NIST SP 800-171 and have a security plan in place in the event that your Contract Officer requires you to detail your protocol.

Some of these control areas include access control, awareness and training, configuration management, incident response, system maintenance, physical protection, risk assessment, and reporting any cybersecurity attack that compromises CDI within 72 hours.

Many of these controls detail essential, such as assessing your current system’s risk, mandating training for all contractors and subcontractors, and performing regular system maintenance.

Addressing these controls in order to maintain compliance can be achieved through the help of IT security professionals familiar with NIST SP 800-171. An in-house IT team may or may not be able to help ensure compliance.

 

Your Responsibility to Ensure Compliance

 

It is your responsibility to ensure NIST SP 800-171 compliance. You must show the DoD that you’ve met these requirements. Unless your contract with the DoD is just a small segment of your work, consider implementing these security measures for your entire business to help prevent costly breaches and downtime.

Remember that if compliance is not met, you risk having your pay withheld, your contract suspended, or your contract terminated. Once you’ve met these requirements, you’ll need to continue to uphold them as you continue your work with the DoD to protect CDI as well as your own business.

 

Are You in Compliance?

 

If you’ve met the controls and specifics outlined by NIST 800-171 to continue your work with the DoD, then you’ve got little to worry about. If you haven’t met these controls yet, you risk your contract with the DoD and termination of your work. Working with IT security professionals can help you gain compliance as soon as possible and work to ensure security is always a priority at your business.