In April of 2015, NIST published the first public draft of something called SP800-171 which describes requirements for protecting controlled unclassified information on nonfederal information systems and organizations. The government also published a regulation (DFARS 252.204-7012) that states that any entity that collects, develops, receives, transmits, uses, or stores defense information in support of a government contract must abide by the guidance in SP800-171 – with a deadline of compliance to happen by December of 2017. That’s right around the corner!
What does all of this mean?
In short, if you are a government defense contractor and you receive controlled unclassified information, you must comply with NIST SP800-171. In some cases, if you are a downstream vendor of a government contractor, you will likely be asked about compliance also.
There are 14 categories outlined in the guidance listed below:
Each category has numerous objectives that must be achieved that consist of various processes, procedures and systems that may have to be implemented in order to achieve compliance with this mandate. There have been many articles written on this topic and how to comply, which typically consist of the usual technical controls such as encryption, firewall rules and multi-factor authentication, but much of this information is process related, not technical making it obscure and difficult to read.
The good news is that many organizations are already in compliance with quite a few of the objectives listed above. Most gaps exist where controls need to be strengthened, policies need to be created, and where acquisition of additional software/hardware needs to be considered. A lot of organizations can handle many of these tasks in-house, but don’t discount the benefit of an external IT consultant that has experience with this regulation and can provide assistance in closing the gap or providing service/software.
Putting together a game plan for compliance can be a daunting task – especially if you don’t know how to comply with items such as Performing a Risk Assessment or Create a Vulnerability Program. Peters & Associates can help you put together a strategy for understanding where the gaps are and executing the project to close those gaps. Compliance initiatives are something we work with continually across many industries. Contact us today for more information firstname.lastname@example.org or 630.832.0075.