December 31 is a major data security compliance deadline for NIST 171
If your company is a link in the government supply chain, NIST 800-171 compliance is required
Hundreds of New Hampshire companies that manufacture components for the U.S. government or government contractors have only a few weeks left to comply with new requirements for handling sensitive data. Whether it is contract details or schematics for a new fighter jet radar component, the government doesn’t want its data in the wrong hands. As a result, it has issued a series of information security standards all its downstream vendors (and their vendors’ vendors) must follow by December 31, 2017.
A brief history
Cybersecurity standards were first required for Defense Department subcontractors in 2013 through the Defense Federal Acquisition Regulation System (or DFARS). In 2015 NIST SP 800-171 (referred to as NIST 171) was chosen as the specific set of requirements. This special publication released by the National Institute of Standards and Technology (NIST) was designed for small and large companies that deal with “Controlled Unclassified Information” (CUI). DFARS set the December 31 compliance requirement nearly three years ago.
New Hampshire manufacturers, take note
“New Hampshire is awash with small and medium-sized manufacturers with outdated security policies that run on older technology that are not compliant with the new requirements,” said Ryan Barton, CEO of Mainstay Technologies. “NIST 171 has 110 specific controls around policies, cybersecurity, training and technical specifications, so it is a tremendous amount of work for companies to implement these specific security measures around protecting data, wherever it lives.”
DFARS contracts don’t specify what happens to companies that don’t comply. Each noncompliant company is supposed to notify the DoD compliance personnel and receive permission, but many won’t. It’s easy to project that eventually audits and proof of compliance will follow, with contractual penalties or default for those out of compliance. What may happen sooner is that the large manufacturing companies (with large government contracts, known as “Primes”) will enforce proof of compliance and security audits on their downstream vendors, in order to ensure their own compliance. If nothing else, noncompliant organizations are likely to not win new business.
Some compare this rollout to the requirement for ISO9001 in the industry which began many years ago – it took several years for those requirements to be enforced. However, ISO9001 wasn’t a requirement from DoD, and there was a clear certifying body to make compliance clear – which there isn’t for NIST 171.
“NIST has released guidance that the minimum requirement is having completed an initial assessment and a documented Plan of Action and Milestones (POAM), so not everything has to be completed by December 31, but it’s critical to start now if you haven’t already,” Barton said.
Get NIST 171 compliant
Companies that haven’t started the process of implementing controls from NIST 171 should immediately find an experienced partner. This partner should have a comprehensive understanding of NIST 171 and the technical and policy writing experience required. Or, they should assign someone with technical expertise to read the special publication and associated NIST documents for each of the 110 controls. They can then create a strategy and document the company’s progress toward compliance.
“While the consequences for missing deadlines is vague now, soon tolerance for not protecting CUI data will run out,” Barton said. “And this is true for all industries: to do business today, you should have an information security program to protect yourself and your clients. To do business tomorrow, that information security program is going to be mandatory for nearly all industries, just as it is now for contractors in the DoD supply chain.”
The path to NIST 800-171 compliance can vary by company, and the right information security partner should be able to explore creative and strategic options that meet new requirements. The ultimate goal is to protect information and avoid a breach. Doing so provides valuable risk mitigation and a path to implementing wise strategies that genuinely protect data and reduce risk to companies.
“This is a new cost of business that everyone should take on because of the state of cybersecurity today,” Barton said. “It’s absolutely possible to make these technical requirements easier when you’re working with the right partner who can find a balance between compliance and cost efficiency.”
To learn more about compliance requirements pertaining to NIST 800-171, DFARS 252.204-7012, or other industry-standard information security programs, contact us.