NIST and Cybersecurity – What you need to know!
Government organizations and their direct contractors have long been required to conform to cybersecurity standards and data handling protocols set for by the National Institute of Standards and Technology (NIST). These organizations typically have large IT budgets and staff to implement the personnel and security products necessary to meet these requirements and ensure the security of sensitive data. The down-level suppliers, most of whom were small businesses with limited budgets, were not beholden to any such requirements.
Of course, that all changed in December of 2016 with the publication of NIST SP 800-171. This Special Publication provides organizations with requirements for protecting the confidentiality of CUI – Controlled Unclassified Information. In essence, this publication took the requirements to which only the upper levels of the supply chain were obligated, and applied them down to all levels of the supply chain – right down to the Mom and Pop businesses manufacturing simple electronic components for customers like Boeing, Raytheon, etc.
These companies were notified by their big customers, beginning in Dec 2016, of these new requirements, and asked to complete cybersecurity questionnaires so that their security positions could be assessed. Many of these companies do not have any IT staff of any kind, or have only a break-fix IT contractor. These companies typically do not have the ongoing, proactive systems and security management necessary to ensure compliance, will find themselves in a difficult position as the deadline of December 31, 2017 approaches, as many contractors will require compliance as a condition of ongoing business!
The requirements are numerous and cover a lot of different areas of system security, including:
- Secure network and system configurations
- Data and network encryption
- Two-factor authentication
- Security Information and Event Management (SIEM) platform
- Vulnerability scanning and alerting
- Data Loss Prevention (DLP) software
- Backup/Disaster Recovery
- Documentation and Training
We have spent considerable time and effort becoming familiar with these requirements from a practical IT perspective; evaluating security solutions for technical and budgetary viability, consulting with auditors from the big defense companies, developing blueprints for system hardening, and working with our clients to educate their user base.
As a result, we’ve found ourselves in the unique and fortunate position to provide our clients with comprehensive and cost-effective solutions that will move them toward NIST compliance and ensure the security of their largest and most valuable customer relationships.
As always, feel free to reach out for help…