Benefits of 800-171 Support in Northern Virginia

When the National Institute of Standards and Technology (NIST) released their special publication (SP) 800-171, they took an important step to prevent security breaches for government contractors.

If you’re a non-federal agency that works with government data, you’re required to comply with the regulations this publication outlines. NIST SP 800-171 applies to Controlled Unclassified Information (CUI), so any devices or systems that house or transfer this information need to maintain compliance.

When you work with an experienced consultant to provide NIST 800-171 support, your business in Northern Virginia benefits. Here’s how.

Federal contractors, subcontractors, and service providers in Northern Virginia, DC and Maryland doing business with the Department of Defense face a looming December 2017 deadline to meet NIST SP 800-171 compliance regarding their information systems.

NIST designed that standard to protect from public disclosure all controlled unclassified information (CUI) and DoD Covered Defense Information (CDI) generated by the Federal government.  CUI and CDI include any information that law, regulation, or government-wide policy requires be secured through safeguarding or disseminating controls.  For DoD purposes, that information encompasses, “[n]ewly created, revised, or previously unmarked unclassified technical documents generated or managed by all DoD-funded research, development, test, and evaluation (RDT&E) programs.”  It likewise involves “any recorded information related to experimental, developmental, or engineering works that can be used to define an engineering or manufacturing process or can be used to design, procure, produce, support, maintain, operate, repair, or overhaul program material.”  Regarding NIST SP 800-171 compliance, there are several examples of information that fall within scope: research and engineering data, engineering drawings, computer software documentation, data sets, studies and analyses, specifications, standards, and related performance and/or design documents.

Federal Contractors, Subcontractors, and Service Providers

Pursuant to DFARS 225.204-7012, private sector organizations that process, store, or transmit CUI and CDI must implement NIST SP 800-171 by year’s end.  This is no small feat.  The standard consists of 110 security practices that accord with 14 separate categories of confidentiality-focused security requirements.  They cover access control, awareness and training, audit and accountability, configuration management (baselines for security of hardware and software), identification and authentication (of users and devices), incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.  Adopting controls to successfully satisfy each of these obligations requires significant amounts of time, money, and know-how.

DFARS 252.204-7012 and NIST 800-171

Unfortunately, many small businesses lack all three.  One Federal effort to verify an OPM contractor’s compliance with NIST SP 800-171, for example, involved the efforts of 10 employees over a two-week period.  It cost the government some $150,000.  Current bids from large consulting firms for a NIST SP 800-171 compliance work package typically start at $160,000.  While effective security should be everyone’s goal, pursuing traditional compliance approach such as these are akin to a mom-and-pop enterprise hiring a major accounting firm to do its taxes when all it really needs is TurboTax.  Without a better alternative, small businesses are at serious risk of being shut out of contract opportunities with DoD altogether.

Solvere One ASSET Making Compliance Affordable

ASSET is the TurboTax equivalent for NIST SP 800-171 compliance.  It is an affordable, easy-to-use software solution that provides truly automated, continuous, and real-time awareness of an organization’s compliance and security status.  It makes NIST SP 800-171 implementation a snap for businesses of every size and specialty at a fraction of the cost.  Solvere One experts are highly knowledgeable and well-trained in ASSET deployments.  They can help small businesses not only rapidly meet their NIST SP 800-151 compliance requirements, but also establish themselves as best-in-class security performers over the long term.

Don’t risk losing your contract! Department of Defense (DoD) contractors that work with Controlled Unclassified Information (CUI) are required to meet the security actions outlined by the National Institute of Standards and Technology (NIST).

NIST’s Special Publication (SP) 800-171 is required for both contractors and subcontractors of the DoD to keep sensitive information safe. Here’s everything you need to know about implementing 800-171 for your networks.

Who Needs to Comply with 800-171?

NIST generated its 800-171 publication for non-federal organizations that house, transmit, or access CUI. This means any systems that contain or handle CUI need to apply the processes detailed in 800-171.

However, any systems that don’t apply these basic security measures have the potential to be at risk. Whether or not you work for the DoD, businesses everywhere can benefit from 800-171 compliance.

Exactly What Information Needs to Be Protected?

NIST 800-171 applies specifically to CUI. Its goal is to minimize vulnerabilities that could compromise data, including network risks as well as actions of employees.

Unfortunately, security breaches for businesses and freelancers alike are common. In many of these cases, it’s difficult to control the damage because the problem is only identified after it’s happened.

By taking advantage of 800-171 support, you have the opportunity to reduce risk and keep your networks and CUI secure.

When Do I Need to Fulfill the Requirements?

The deadline for 800-171 compliance was December 31, 2017. However, if you’ve yet to meet the requirements, you not only jeopardize your contract’s standing, but leave your networks vulnerable to malicious hackers.

Implementing the security measures in NIST’s publication is a long-term investment that will benefit you well into the future. Delaying compliance for your systems becomes riskier as time goes on and cyberattacks continue to evolve, so plan to complete the procedures in 800-171 as soon as possible.

Why Is 800-171 Important?

One of the major benefits of 800-171 support is that it implements fundamental protection that any reputable business that works with sensitive information would have in place.

These procedures—such as controlling access, having a plan in the event of a breach, and properly disposing of CUI—are meant to reduce your risk and protect your organization’s data.

NIST’s publication isn’t just important for contractors of the DoD. Effective security measures are hugely relevant for today’s online businesses. Employing these methods is smart for any company that handles material that isn’t meant to be public knowledge.

How Can I Gain Compliance?

Undertaking the controls detailed in 800-171 can feel overwhelming for organizations that don’t already have at least some of these procedures in place for their networks.

However, executing the controls is designed to provide peace of mind and strengthen your network security. With enhanced protection and best employee practices, you can provide better services.

By working with an experienced IT provider for 800-171 support, you can maintain compliance and keep your contracts and your funding safe. You may also choose to follow NIST’s handbook for evaluating your systems for 800-171 controls to get an idea of the scope of work to be done.

The Benefits of 800-171 Compliance

Don’t overlook the significance of 800-171 and the impact it can have on your business.

Whether you’re a non-federal organization working with the DoD or a small business that handles confidential data, NIST 800-171 compliance can provide long-term security benefits.

By leveraging expertise from an IT partner that’s well-versed in 800-171, you can help prevent a security breach that could have serious consequences for your business and its reputation.

Do you still need a strategy for meeting NIST’s requirements? Don’t delay in making a plan to get in compliance!

The Benefits of 800-171 for Small and Medium Businesses

Having the right security for your small or medium-sized business in Northern Virginia allows you to provide better services and peace of mind to your clients.

Businesses that choose to follow the safety controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 are doing more than keeping their eligibility for funding. They’re keeping their information—and their reputation—safe.

Small- and medium-sized organizations that implement security best practices with 800-171 support gain the following advantages that extend beyond merely gaining compliance.

 If you’re a contractor or even a vendor of the Department of Defense (DoD), you’re affected by the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. This is a cyber clause called “Safeguarding Covered Defense Information and Cyber Incident Reporting” which goes into effect on December 31, 2017.

The goal of this cyber clause is to protect covered defense information (CDI), which applies to nearly all potentially sensitive nonpublic information. Based on this clause, you’re required to have adequate security measures in place before the deadline.

Is your business prepared for these upcoming requirements? Here’s what needs to happen before the deadline.

Operating as an IT Service or System for the Government

If you provide IT services or operate as an IT system for the government, any cloud computing services need to be in accordance with cyber clause 252.239-7010, titled “Cloud Computing Services.” If you’re not part of an IT service or system, you’ll still be required to implement security requirements under National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 1, better known as NIST SP 800-171.

This cyber clause, titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, outlines the requirements that need to be in place by December 31, 2017. If your contract was awarded before October 1, 2017, you need to notify DoD Chief Information Officer (CIO) within 30 days of your contract award of any security requirements that have not been implemented at the time of your award.

 Based on the DFARS cyber clause, any company that has access to or transmits CDI must address their compliance in numerous areas in order to meet the new security objectives.

The Areas That Need to Be Addressed

 If you’re a company directly impacted by DFARS 252.204-7012, your information systems that contain any CDI need to be in compliance with NIST SP 800-171 Revision 1. This cyber clause outlines 14 different areas that need to be assessed in order to meet the mandatory security regulations.

These areas include:

• Access Control. Limit access to CDI to authorized users or devices.
• Awareness and Training. Ensure that users of your information systems are aware of security risks and properly trained to carry out duties.
• Audit and Accountability. Ensure actions of users can be appropriately traced; create audit records to appropriately monitor and investigate information system activity.
• Configuration Management. Apply security configuration settings to the system.
• Identification and Authentication. Identify users and authenticate identity.
• Incident Response. Establish incident-handling protocol.
• Perform maintenance on the system.
• Media Protection. Protect system media containing CDI.
• Personnel Security. Properly screen individuals before allowing access.
• Physical Protection. Limit and monitor physical access.
• Risk Assessment. Assess risk to operations, individuals, and assets as needed.
• Security Assessment. Assess security controls to ensure efficacy.
• System and Communications Protection. Monitor and protect communications at the appropriate boundaries.
• System and Information Integrity. Identify and correct system information flaws; report in a timely manner.

In accordance with this cyber clause, you must also report any cyber security attack that impacts CDI within 72 hours.

What Your Next Steps Are

Unless you’re an IT company, you’ll likely need to work with an IT expert to implement these new security regulations. It’s imperative to determine whether your contract includes CDI as soon as possible so that you know whether or not the requirements affect you.

Once you determine the identified CDI, you can evaluate which steps to take for your compliance measures. To bring your entire system into compliance will be the costliest method, but it may also be the most necessary. In nearly every situation, compliance is going to be costly and will take time, but it’s imperative that you don’t incur the costs of non-compliance.

You can also establish segregated systems and ensure that your information system that contains CDI is compliant with the DFARS cyber clause. You may also choose to adapt your rates to account for the new cost of this compliance.

This cyber clause is intended to address vulnerabilities and reduce the chances of cyber attacks. Don’t risk your contract just because you can’t keep up with compliance demands. Your business can be prepared for the deadline by assessing and implementing security measures now with the help of security professionals!