Just about all defense contractors are smaller organizations than the U.S. Department of Defense, and very few are well versed in the often obscure terms and acronyms used by it.
At the same time, all defense contractors must be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) by Dec. 31, 2017 which describes what they must do to protect covered defense information (CDI) and controlled unclassified information (CUI) that may pass through their IT systems as a result of the activities they conduct in support of the various DoD departments and agencies.
Few civilian organizations are as prepared as they should be at this point for the level of specificity and the compliance requirements that military agencies see as standard. NIST SP 800-171 helps these organizations comply so that they aren’t prevented from doing business with the military.
It maximizes the protection afforded to CDI and CUI to prevent it from falling into the wrong hands.
Here are a few key ways in which defense contractors (especially smaller defense contractors), can properly prepare themselves to achieve full compliance with NIST SP 800-171, a 76-page document that can be accessed on NIST’s website.
Small Defense Contractors – How to Approach Meeting NIST SP 800-171 Requirements
Defense contractors who achieved compliance with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause might approach meeting the requirements of NIST SP 800-171 by making simple policy and/or process changes or adjusting the configuration of existing IT.
NIST SP 800-171 was written using performance-based requirements that wouldn’t require acquisition of additional IT hardware or software, but rather policy and procedural changes.
The FAQ states, “Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely, while others require security-related software (such as anti-virus) or additional hardware (e.g., firewall).”
It is also important to remain focused on the core purpose of the publication, which is to insure constant, proper protection of CDI and CUI when it is processed, stored, or transmitted through any of the contractor’s internal IT systems. Systems that do not participate in processing, storing, or transmitting CDI or CUI do not have to meet any requirements.
You may already have control or protective measures in place that exceed the NIST requirement, providing equal or better protection to CDI and CUI. If you feel this is the case, you have the right to submit an explanation to show that your alternative protection is appropriate, effective, and fit for purpose.
Small defense contractors who are new to these requirements should begin by thoroughly examining the policy and process changes indicated, especially those that involve IT. Assure that all IT configurations conform to the standards described. Assure that all policies and procedures involved in securing data and network meet or exceed the standards.
As you determine changes that will be required to IT systems, carefully determine which should be assigned to external expert resources to assure complete compliance.
Finally, document your strategy in a detailed, written plan of action with milestones for achievement. This will be useful in any situation where a lapse in compliance may be suggested.
A Potential Short-Cut to Compliance
Just as it has reduced workload and expense for many companies, small defense contractors may find they can literally outsource their compliance requirements by using a cloud service that meets security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP), a moderate requirements baseline for the storage, processing, and transmission of CDI and CUI.
It is important to specify this requirement in your contract with a compliant cloud service.
Should you choose to take this route, remember that there are still segments of your own network which may play a part in the storage, processing, or transmission of CDI and CUI to and from the FedRAMP-compliant cloud service, and these must meet or exceed the requirements, too.
The last thing to remember, whether you choose to use a cloud-service or not, is that your organization still owns responsibility for protecting the covered information at all times. You must assure that your cloud-provider adheres as stated. You must assure that your systems meet or exceed requirements at all times.
George Wrenn is founder and CEO of CyberSaint Security, was formerly chief security officer at Schneider Electric. He has more than 20 years of experience in the field of cybersecurity and is a Research Affiliate in Management Science at the MIT Sloan School of Management. He can be reached at: firstname.lastname@example.org.