Customers hire us to help them address their physical IT security infrastructure needs, and in the course of the conversation, we raise the specter of compliance with a Federal Government mandate related to NIST 800-171. In the best case scenario, the client is well informed of the pending deadline and has a plan in place. However, in most situations they are not tuned in to this deadline, and start to get white-knuckled. Unfortunately, because of our work in IT Security and Compliance for regulated industries such as aviation and health care, we see this situation happen much more frequently than we’d like.   

While Washington State hangs its proverbial hat on being the country’s seat of emerging technology, that distinction also comes with a certain set of rules and regulations for companies whose clients include the federal government.

For government contractors, a deadline looms to ensure they are compliant with the National Institute of Standards’ (NIST) guidelines for ensuring sensitive federal information remains confidential when stored in nonfederal information systems and organizations. Basically, a contractor needs to be NIST compliant if it processes, stores, or transmits sensitive federal information to assist federal agencies in carrying out their core missions and business operations.

This requirement means nonfederal information systems and organizations must demonstrate that they have security controls – both physical and procedural – in place to protect Controlled Unclassified Information (CUI) and Controlled Technical Information (CTI), based on guidelines laid out in NIST’s Special Publication 800-171.

Originally, contractors only had until the end of 2016 to demonstrate compliance, but some squeaky wheels within the industry said, “too fast,” so the Pentagon pumped the breaks and extended the deadline to Dec. 31, 2017 (though for contracts awarded at, or after, the deadline, compliance is required within 90-days). And while the original catalog of NIST security controls was an unwieldy 462-page behemoth, the new document is a sleek and streamlined 77-pages.

This all foots back to the Cybersecurity Enhancement Act of 2014, passed by Congress, “to provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes.” The act provides a call to action for NIST to continue its work on a defined cybersecurity framework.

Our clients are in frequent disbelief that this regulation applies to their particular contracts.  We tell them the answer is simple: If your company processes, stores or transmits CUI, or provides security protection for such components, then you can be certain compliance with NIST 800-171 is required. And with the Dec. 31 deadline just eight months away, it’s time for procrastinators to get cracking.

Anyone still wondering why this is important can check out the following video, produced by NIST, which demonstrates how companies can apply the cybersecurity framework functions concurrently and continuously to form an operational culture addressing the ever-changing nature of cybersecurity risks:

At Base2, we have had well-documented security plans in place for many years, and have been audited by the federal government several times because of our defense-related work. But when we went to audit ourselves for compliance, even we were surprised to learn of the requirements that we hadn’t met, such as multi-factor authentication and audit logging.

Because the importance of compliance cannot be understated, as demonstrated by the agency’s video, we follow the clear process that NIST has laid out for implementing the core framework functions, beginning with No. 1 – Identify. Like it or not, cybersecurity attacks are happening daily. According to a Clark School study at the University of Maryland, hackers attack every 39 seconds, with a Forrester report identifying 95-percent of the breaches within three industries: Government, technology and retail. Step one of the framework indicates companies must develop the organizational understanding to identify and manage cybersecurity risk to systems, assets, data and capabilities. This understanding is critical in order to use the framework effectively. Outcomes from this core function include asset management, business environment, governance, risk assessment and risk management strategy.

The second core function we address is Protect, which includes developing and implementing the appropriate safeguards to make sure critical infrastructure services are delivered. This function identifies whether your company is able to limit or contain the potential impact of a breech and, if not, steps to improve. Outcomes include access control, awareness and training, data security, information protection, processes and procedures, maintenance, and protective technology.

Next comes Detect. This critical function helps companies develop and implement the necessary steps to ID the occurrence of a cybersecurity event. With this step successfully in place, a company should be able to discover breeches in a timely manner. If there’s a gap identified in a company’s ability to detect breeches, outcomes of applying this function typically include anomalies and events detection, continuous security monitoring, and detection alerting processes.

Which leads us to Respond. As its name indicates, this function helps to form and put into place the steps needed to take action in terms of a detected cybersecurity event. This function should help support a company’s ability to contain the breech, with targeted outcomes including response planning, communications, analysis, mitigation, and improvements.

After Respond we will engage in Recover. This final function helps companies maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. This function allows for a timely return or recovery to normal operations to minimize the impact of the breech. Outcomes from applying this function can include recovery planning, improvements and communications.

After applying the framework, companies can move on to the seven steps of NIST’s gap analysis to then either create a new cybersecurity program, or improve and existing one. We counsel clients that these steps create a security loop with the goal of continuous improvement over time, and include: Prioritize and Scope; Orient; Create a Current Profile; Conduct a Risk Assessment; Create a Target Profile; Determine, Analyze and Prioritize Gaps; and Implement Action Plan. 

While the framework can help a company’s existing process for identifying, assessing and managing cybersecurity risk, we strongly believe that it shouldn’t replace existing processes. Rather, we find it’s a useful tool for identifying gaps in a current cybersecurity risk approach, one that helps create a roadmap to improvement, or even the foundation for a new program. As a tool, companies can decide which activities, based on identified gaps, would be worth investing in, in terms of improvement. Engaging with an experienced security assessor is the first step in assuring NIST compliance, keeping the December 31 deadline top-of-mind, and helping to maintain Washington State’s reputation for having the most trusted technology partners in the U.S.