Leave no network behind: What private industry needs to know about preparing for NIST SP 800-171.
It’s that time of year again, when kids get ready to go back to school for 180 days in the annual cycle of completing a grade. It’s a time of renewal – new clothes, new school supplies.
It’s also a time for parents to comply with a number of health and safety procedures ranging from proving vaccinations, to self-attesting they will adhere to school systems’ rules and procedures. Administrators have mountains of metrics and goals, many of which are prescribed by the Federal government, to monitor to keep all kids safe as they interact and become more productive human beings. Parents from every demographic category all must comply.
In a similar way, the U.S. government has rules for keeping its data and networks safe by all organizations that interact with them. Just as with policies for humans, the federal government is creating a policy to ensure its networked computers increase their immunity to viruses and other unhealthy cyber attacks. This is the purpose of NIST Special Publication 800-171.
NIST SP 800-171 applies to Controlled Unclassified Information (CUI) shared by the federal government with a nonfederal entity. The controls specified in NIST SP 800-171 are based on NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. The controls were tailored from NIST SP 800-53 specifically to protect CUI in nonfederal IT systems from unauthorized disclosure. There are 14 families of security requirements outlined in NIST SP 800-171, comprising 109 individual controls.
Ensuring the Integrity of the Most Complex Supply Chain
Any company or organization that seeks to win a federal contract or a grant that requires the organization to interact with CUI will be expected to comply with NIST SP 800-171 to ensure that sensitive federal information remains confidential when stored in non-federal information systems. The U.S. government is basically taking steps to protect itself by protecting its supply chain.
Besides being the single biggest market globally, the federal government manages the most complex supply chain of large and small organizations ranging from complex global aerospace companies, to one-person consulting firms, to universities seeking grants.
According to industry reports, as much as 80% of all information breaches originate in the supply chain. By now, we have all heard that the massive Target breach originated with an HVAC vendor in its supply chain. More than half of disruptions cost over $25 million and the average cost is approximately $360,000, not including management time, lost customers, or reputational damage. Industry estimates suggest that 72% of companies do not have full visibility into their supply chains, and 59% of companies do not have a process for assessing cyber risk of third-party providers with which they share data or network access.
What’s In Store for NIST SP 800-171 Compliance?
Logically, many in industry are asking, “What is specifically going to be required for my company or university to prove that we are compliant with NIST SP 800-171?” Given the guidance of the NIST publication, there is growing concern that entities without huge cyber budgets may not be able to afford to comply and will simply not be able to apply for grants or contracts.
The short answer is that there is no answer as to what body of evidence will be required. So is the best approach to simply wait until we know more? Probably not.
It’s logical to think that the U.S. government might align its emerging NIST SP 800-171 requirements with the NIST Risk Management Framework (RMF) and the Cyber Security Framework (CSF) at some point in the future. The CSF was created in 2013 as a result of Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary risk-based cyber security framework that is “prioritized, flexible, repeatable, performance-based, and cost-effective.”
While the CSF was targeted at the 16 critical infrastructure sectors, there has been a growing momentum among commercial sectors to embrace and standardize on it. There are many benefits for implementing a CSF-based risk process, such as developing a scorecard to measure business cyber security posture in order to focus resources accordingly. It’s just good cyber practice whether or not you intend to seek federal contracts or grants in much the same way that vaccinations as part of a child’s over-all health program provide universal benefits beyond school.
The Power of Automating Risk Management and Compliance Processes
I’m happy to report that you can give your company’s risk management program a proverbial shot-in-the-arm with Xacta. Federal agencies leverage Xacta as an automation tool for the NIST RMF, which is based on NIST SP 800-53 controls implementation and from which NIST SP 800-171 is derived.
A significant addition to the latest draft of NIST SP 800-171 is the requirement for a system security plan (SSP) and plan of action and milestones (POA&M) that spell out how an organization will meet the requirements for protecting CUI. Because these reports are required in the NIST RMF, Xacta can automatically produce these documents for demonstrating NIST SP 800-171 compliance.
Additionally, Xacta has a NIST SP 800-171 template and can provide controls mapping from other standards to accelerate your ability to attest to NIST SP 800-171. Xacta will then automatically produce a Control Matrix Report which can be shared with stakeholders. This saves considerable time and money in risk management and compliance reporting.
As a federal contractor that handles CUI, Telos also has to comply with NIST SP 800-171. So we appreciate that companies in private industry are still getting educated on the specifics surrounding the NIST SP 800-171 requirement. But it’s important for every organization to begin studying and implementing good risk management practices based on the CSF and NIST SP 800-53. It will be the best way to prepare for whatever “test questions” we are asked by a government contracting office, or even an entity whose supply chain we serve.
At the very least, given the need to manage the complexity of constantly changing IT regulatory requirements in the most highly regulated industries, adopting best risk management practices through automation will save your firm a great deal of time and money while boosting your networks’ resiliency against cyber attacks.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.