October 27, 2017
NIST 800-171 Compliance for Small-Mid Sized Companies
The federal government is mandating that their partners all be compliant with NIST 800 which was originally designed for larger federal agencies. While NIST 800-171 addresses security compliance for non-federal agency businesses and offers guidance for compliance for smaller businesses, it is still a daunting task to achieve compliance.
NIST 800-171 Security and How It Relates to Non-Federal Agencies Businesses
DFARS Clause 252.204-7012 requires DoD contractors, including small businesses, to:
- Provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure.
- Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
- When contractors or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer.
- Preserve and protect images of all known affected information systems identified and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
What is adequate security?
Minimum cybersecurity standards are described in NIST Special Publication 800-171 and break down into 14 areas. In each of these areas, there are specific security requirements that DoD contractors must implement. Full compliance is required no later than December 31, 2017. Contractors must notify the DoD CIO within 30 days of contract award of any security requirements not implemented at the time of contract award. Contractors can propose alternate, equally effective measures to DoD’s CIO through their Contracting Officer.
If the DoD determines that other measures are required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability, contractors may also be required to implement additional security precautions.
The standards for securing Non-Federal contractors are contained in NIST 800-171, and multiple other supporting documents including NIST 800-200, NIST 800-53, FIPS 199, FIPS 200, NIST SP 800-37, and others, which goe into more detail about the controls and security framework process.
eSecurity Solutions has a complete solution for small – mid-sized companies who have been caught up in this requirement and need a solution. Because of our experience, we have sifted through the 8-10 documents on NIST 800 and have a solution that can scale to your business and still meet federal regulations.
With 14 years in cyber security, we have the experience, a documented NIST 800-171 compliance process and can guide you through a total solution that will get you compliant as fast as possible with the supporting documentation you need.