NIST 800-171 | Who, What, and Why?!

Now that the new Defense Federal Acquisition Regulation Supplement (DFARS) regulations regarding cybersecurity are effective and required for all Government contractors, industry is grappling with just how bad their cybersecurity practices have been over the years.  The guidelines for the new regulations are outlined in the NIST Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” and it provides the necessary requirements to protect the confidentiality of controlled unclassified information (CUI).

These new requirements are being added to contract requirements such that any company wanting to do business with the DoD will need to implement the cybersecurity requirements outlined in NIST SP 800-171, or run the risk of losing new and/or existing contracts.

If you’re thinking to yourself, “Ah, yes, the government needed more regulation!” Then, you’re looking at the intent of the cybersecurity requirements all wrong.

Cybersecurity controls are meant to address the plethora of unclassified information (used/kept/stored) by many DoD contractors, both big and small, which in many cases, is poorly guarded and managed.  Among the various DoD contractors, there is enough unclassified information to provide our adversaries with an insider’s view into our nation’s military.

To the extent of our connected world and the devices that power our modern society touching every facet of our lives, there are countless avenues for attackers to sneak in and steal sensitive intellectual property (IP) and DoD secrets.  The loss of this information results in real dollar losses and competitive advantage losses in the defense industry, as well as a transfer to our adversaries of IP,  which DoD contractors have worked hard to develop.  And the worst part… our enemies are able to perform these acts from within the confines of their own borders with relative ease due to lax cybersecurity practices.

These lax cybersecurity practices strike to the heart of why the NIST SP 800-171 requirements were long overdue.  For too long, DoD contractors bumped along doing the bare minimum, if any, cybersecurity implementation, and frequently put the government data on servers or in emails that were completely unprotected.  There was no accountability and very little confidentiality, resulting in a constant flow of stolen data.

With NIST SP 800-171, companies are required to focus on auditing data trails, identify and protect assets housing CUI, perform proper access control procedures, and assign responsibilities within an organization for handling cybersecurity operations and maintenance.  The cost and friction caused by these new requirements is often viewed with disdain, which is usually due to lack of understanding.  Good cybersecurity policy and practices require buy-in from all stake holders: technical, management, and operations alike, which is why an initial cybersecurity assessment is the best starting point for any DoD contractor.

Understanding the unique internal processes and challenges of each DoD client, Cybernet advises a specific action plan and recommendations so cybersecurity becomes an effective and core element of a company’s underlying culture.