Are you ready to report your NIST 800-171 compliance status by the end of the year?
As more breaches occur every day, the government is working harder to secure its information systems from possible compromise. Over 10,000 U.S. government contractors will need to comply with SP NIST 800-171 by the end of this year, according to estimates by the Department of Defense (DOD).
The impact of NIST 800-171 will be far-reaching, and if you do business with the federal government, now is the time to start implementing your compliance plan. If you’re not sure how to get started, we recently hosted a webinar on exactly that. Click “play” below to watch, or keep reading for a summary of what we discussed.
What is NIST 800-171? [5:05]
The National Institute of Standards and Technology (NIST) issued Special Publication 800-171 to protect controlled unclassified information (CUI) in nonfederal systems. CUI is information which is not classified, but by law either the data must be secured or access to the data must be controlled.
The basic premise of NIST 800-171 is this: CUI is extremely valuable. If CUI is compromised in any way, whether a federal or nonfederal organization is handling that data, the impact will be just as severe. That’s why steps to protect CUI need to be consistent between federal and nonfederal systems. Any cyber incidents must be reported—whether data was compromised or not.
The NIST 800-171 guidelines have 14 categories taken from the Federal Information Processing Standards (FIPS) 200 and the moderate security control baseline of NIST Publication 800-53.
Who is required to comply with NIST 800-171? [9:36]
If you are working on behalf of a U.S. federal agency, are a contractor, or supply services to the government, you need to apply the NIST 800-171 controls to any of your information systems that store, process, or transmit CUI. Additionally, if you’re gathering or maintaining data directly for a government agency, you’ll need to fulfill the full FISMA and NIST requirements—beyond NIST 800-171.
Failure to comply with NIST 800-0171 means you can’t do contracts with the U.S. government.
How do I comply with NIST 800-171? [12:06]
The current deadline to comply with NIST 800-171 is December 31, 2017. While NIST 800-171 includes detailed requirements, the regulation doesn’t dictate how those requirements should be met. The good news is that you’re free to satisfy those requirements however you want to: using software, professional services, or a mix of both.
Because there’s no blueprint for NIST compliance success, organizations will be learning as they go. While there aren’t many “lessons learned” out there from organizations who have already achieved NIST compliance, here’s some advice to consider:
- Understand the requirements. This free NIST 800-171 guide and compliance checklist may be a helpful place to start.
- Start small. Seek validation that you’re doing what is required. Then, as you see success, expand your program and grow.
- Know the CUI registry. Explore the CUI registry to see how they’re tagging information so you can follow their lead.
- Implement a team. Identify a small group of stakeholders who can help you get the program off the ground. Make sure to include your chief security officer and general counsel, too.
- Document everything. Document as you go so you have records of everything and how it’s working.
What kinds of software and solutions can help? [16:10]
Find a vendor who can help you with NIST 800-171’s multi-faceted requirements. At HelpSystems we offer a full portfolio of IT and security solutions that can help with evolving compliance requirements.
Jump into the webinar about 17 minutes in to learn about how our solutions can help with NIST compliance.
For a limited time, we’re also offering 30-minute NIST compliance audits with our technical solutions team. We’ll ask a few questions about any steps you’ve already taken towards NIST compliance, and then we’ll share our recommendations to move forward. Request your audit here >