Preparing for NIST Special Publication 800-171Compliance
Because the US federal government is now outsourcing service providers to assist in carrying out a wide range of federal projects and business activities, using the federal government’s information system, and due to the sensitive information being used in the projects, the Department of Defense is now requiring service provider operators, contractors and subcontractors, dealing with Covered Defense Information (CDI) to take protective and preventive measures on their cyber security, such that the Defense Department requires that outsourced operators be NIST Special Publication 800-171 compliant as early or before December 31, 2017.
NIST Special Publication 800-171 is an outlined general procedure and information that delineates how information systems and policies are to be set-up and complied by service operators to protect government information, particularly called Controlled Unclassified Information (CUI), which can directly affect the normal activities of the federal government to successfully deliver its operations. Because outsourced service providers are given tasks that carry sensitive information by the federal government some of these are the following: processing, storing and transmitting of data information that involves the following services – financial, healthcare, cloud services, Web and electronic mail, security clearances with prior background investigations and even as serious an information as communications satellite and weapons system, it is important that they comply to the NIST Special Publication 800-171 requirement set up by the Defense Department.
To be NIST Special Publication 800-171 compliant, as a hired government contractor, you can either follow the step-by-step process requirements, using these procedures – gap analysis and providing an incident response plan, or hire a professional group to help you comply with the requirement.
When you, as a government contractor, have to comply on your own on the NIST Special Publication 800-171 requirement, the first important step is to conduct a security analysis through all your control systems and compare the analysis results to the policies of the NIST Special Publication 800-171and determine which areas need to be worked on so they can be compliant, which requires discussing this with your staff, investigating on your company’s network maps and configurations especially related into the treatment process of Controlled Unclassified Information. It is important that you have a thorough gap analysis and report of the overall investigation of your system so that changes can be introduced such as a two factor authentication to make sure that there are no shared passwords and that an incident response plan will also be required which is providing solutions in situations when there is a cyber intrusion or when there is an insider investigation.