How to be NIST Special Publication 800-171 Compliant
Recently, a major requirement has been set up by the Department of Defense with respect to service providers, contractors and subcontractors, who have been outsourced by the US federal government on a wide range of projects and business activities that make use heavily on the government’s information system and due to the sensitivity of the information that has been accessed to their end, the Defense Department insists that they have prepared protective and preventive measures on cyber security and in relation to this, it has been mandated by the Defense Department to require all operators to be NIST Special Publication 800-171compliant on or before December 31, 2017.
Creating and requiring the NIST Special Publication 800-171, which is a general framework of procedures to protect government information, particularly called Controlled Unclassified Information (CUI), vital information that are accessible to service operators and are basically used in the federal government’s day-to-day operations, and, thus, the Defense Department aims to achieve total cyber security protection and compliance from these outsourced providers. These outsource service providers are hired to perform many routine works, such as the processing, storing and transmitting of federal information in their information computer system, delivering these data information (for example, providing credit card and financial services, providing Web and electronic mail services, conducting background investigations for security clearances, processing healthcare, providing cloud services, developing communications satellite and weapons systems) to federal agencies and, therefore, it is of paramount importance that a system be adopted to protect the sensitivity of this form of work by way of requiring all outsourced service providers to be compliant to NIST Special Publication 800-171.
If you are one of these hired contractors, you need to comply with the requirement or else you lose your precious contract, thus, here are suggested steps that can be taken to start in the compliance procedure: perform a gap analysis and establish an incident response plan.
When you, as a government contractor, have to comply on your own on the NIST Special Publication 800-171 requirement, the first important step is to conduct a security analysis through all your control systems and compare the analysis results to the policies of the NIST Special Publication 800-171and determine which areas need to be worked on so they can be compliant, which requires discussing this with your staff, investigating on your company’s network maps and configurations especially related into the treatment process of Controlled Unclassified Information. When you have gotten the results of your gap analysis, it is suggested that a two factor authentication be added into your processing system to ensure that there are no shared passwords and come up with an incident response plan which requires for a well-explained plan on what to do during a cyber intrusion or attack or when there is an insider investigation.