What does NIST SP 800-171 mean?

What does NIST SP 800-171 mean?

What does NIST SP 800-171 mean?

NIST SP 800-171

NIST SP 800-171

As a small business in the Department of Defense (DoD) Government Contracting realm we do have cybersecurity experience.  We have done the DoD Information Assurance Certification and Accreditation Process (DIACAP) which has now been transitioned to the Risk Management Framework (RMF).  RMF is a six-step process developed by the National Institute of Standards and Technology (NIST) to apply risk management to Information Systems.

RMF Certification.  Very time consuming and costly.  My employees have been great to work through all the necessary paperwork with patience and expertise to get this certification for the Information Systems they are responsible for.

Last week, I met with Adam Austin, Reggie Hall, and Alli Bey of Haight Bey, Engineering and Security Solutions who started to put a small fear into my soul.   They informed me that a little over a year ago a revision to the DoD Federal Acquisition Regulation Supplement (DFARS) contained some new cybersecurity requirements for DoD contractors who process unclassified information.   The final document is the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.

If you are a government contractor, failure to meet these requirements will result in the loss of your contracts because the confidentiality of CUI in non-federal systems is now being mandated.

The requirements in DFARS clause 252.204-7008 are:

(b) The security requirements required by contract clause 252.204-7012, shall be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract.

(c) For covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government (see 252.204-7012(b)(2)) –

(1) By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (see http://dx.doi.org/10.6028/NIST.SP.800-171)that are in effect at the time the solicitation is issued or as authorized by the contracting officer, not later than December 31, 2017.

(2)

(i) If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of

(A) Why a particular security requirement is not applicable; or

(B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.

(ii) An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST SP 800-171 requirements in writing prior to contract award. Any accepted variance from NIST SP 800-171 shall be incorporated into the resulting contract.

What does this clause mean to me?

Wait…December 31, 2017?  Adjudicate?

What do I have to do?

The clause summarizes that DoD government contractors like me need to properly secure their OWN IT systems that process any deliverable due to the government.  Examples are the following:

  • Research and Engineering Data including Engineering Drawings, Associated Lists, Specifications, Standards, Process Sheets, Manuals, Technical Reports, Technical Orders, Catalog-Item Identifications
  • Data Sets
  • Studies, Analyses and Related Information
  • Computer Software Executable Code and Source Code
  • Monthly or Quarterly Reports

If you’re a DoD government contractor developing and submitting Contract Data Requirements List (CDRLs), you’ll need to ensure, on your own dime, that your Information Systems meet some stringent cybersecurity requirements by the end of 2017 just like the BIG government Information Systems.

In addition to securing your IT systems, you’ll need to ensure you have a process in place to continuously monitor your organization for cyber-incidents and be able to report any such incidents to the DoD quickly.

The NIST SP 800-171 contains 14 sections of requirements broken down into 110 required controls.  Each requirement is mapped to NIST SP 800-53 and ISO/IEC 27001 controls.  You may be familiar with these controls if you have been involved in securing government IT systems.   The following are those 14 sections and their appropriate “who” and “why.”

NIST SP 800 171 Requirements

NIST SP 800 171 Requirements

The 131 risk mitigating actions, called controls, are comprised of 670 individual assessments that a contractor will need to perform to verify the measures have been taken.

What can I do to mitigate this risk?

  1. Understand Controlled Unclassified Information (CUI).
  2. Conduct NIST 800-171 CUI Self-Assessment provided by the Common Solutions Group (https://library.educause.edu/resources/2016/9/nist-sp-800-171-compliance-template) to analyze the gaps between my organization and the NIST SP 800-171 requirements.
  3. Create my Plan of Actions & Milestones (POA&M) to implement corrections.
  4. Build cybersecurity into my bottom line and internal processes. I need to build and execute a process to ensure continuous monitoring and assessment of the controls to mitigate risk beginning with the most critical mitigation.
    1. The plan has to have tasks that validate and verify the plan is being executed.
    2. Tasks must be performed to ensure continuous risk assessment and progress on the POA&M.
    3. Develop and implement a process to identify and report cyber-incidents to the DoD
  5. Get my CUI Self-Attestation and CUI Deliverables including the following:
    1. Written Information Security Program (WISP)
    2. Configuration Management Plan (CMP)
    3. Information Security Continuous Monitoring (ISCM)
    4. Information System Contingency Plan (ISCP)
    5. Incident Response Plan (IRP)
    6. Security Awareness Program (SAP)
    7. Security Assessment Report (SAR)
    8. System Security Plan (SSP)

Just another thing for a small business that requires planning, people, and resources.  The good news is I have to write the POA&M, and that may be enough for the contracting officer to declare me in compliance.

Daunting.  Doable.

If you are a DoD contractor that hasn’t yet implemented NIST SP 800-171, your organization may want to start looking at it.  It could mean the difference between winning or NOT winning a contract.  More and more contracting officers will be requiring companies to be in compliance.  I would suggest you get ahead of the power curve.

If you are not sure if your organization is affected by this requirement reach out to the experts at Haight Bey, Engineering, and Security Solutions.

As DynaGrace Enterprises goes through the journey to this mandated tightening up of our own cybersecurity practices watch for subsequent articles about our journey.

Linda Rawson, CEO, and Founder of DynaGrace Enterprises, (http://DynaGrace.com)

A Women-Owned, 8(a) Minority, Small Business

Author:  The Minority and Women-Owned Small Business Guide to Government Contracts
Between POWER and GRACE lies EXCELLENCE
Facebook  |  Instagram  |  Twitter  |  LinkedIn – Personal  |  LinkedIn – Company

Goldman Sachs 10,000 Small Business

Goldman Sachs 10,000 Small Business

 

What is the PATCH Act?

What is the PATCH Act?

Cybersecurity worm hole

Cybersecurity worm hole

A vulnerability is a weakness which allows a cyber attacker to compromise a computer system’s information assurance.

As you can imagine, a vulnerability left alone can take a production system down to its knees causing a company millions upon millions of dollars.  The sooner we, as a company know, about vulnerabilities that can affect our company the better.  It allows software manufacturers to develop and deploy patches quicker.

cyber securityLegislation last week was announced last week by a joint House and Senate Democrats and Republicans that seems to be the first response to the “ransomware” outbreak that occurred globally.  It is believed that attack was initiated by a National Security Agency (NSA) hacking tool.  The bill, referred to as the “PATCH Act” makes permanent the current Vulnerabilities Equities Process that discloses when the government tells us about software vulnerabilities.

Senators Brian Schatz (D-HI), Ron Johnson (R-WI) and Cory Gardner (R-CO) as well as Representatives Ted Lieu (D-CA) and Blake Farenthold (R-TX), introduced the Protecting Our Ability to Counter Hacking (“PATCH”) Act.

Currently, not all vulnerabilities are shared with the Vulnerabilities Equities Process, and certain vulnerabilities are guarded.

The following statement can be attributed to Andi Wilson, Policy Analyst at New America’s Open Technology Institute:

“One of the most critical components of a strong vulnerabilities review process is that it apply to absolutely all vulnerabilities in the government’s possession, not just the ones that the intelligence community chooses to put into the process. The PATCH Act presents an opportunity to make vulnerabilities review consistent and transparent, assuring government stakeholders, companies, and the American people that a clear set of rules is being used to decide whether vulnerabilities should be disclosed. Given the very real cybersecurity concerns of nondisclosure, it is imperative that steps be taken to improve the process for vulnerabilities review, and legislation like the PATCH Act is crucial in establishing confidence and trust in that process. OTI strongly supports the PATCH Act sponsors’ efforts to address the cybersecurity risk posed by government-stockpiled vulnerabilities, and thanks Senators Schatz and Johnson for their leadership on this issue.”

Cyber-attacks continue to be a significant threat to companies.  It is nice to know the House and Senate are becoming aware.

A Reminder About The Need for Cyber Security

A Reminder About The Need for Cyber Security

Cyber Security

Cyber Security

Cyber Security is currently a real need.  Businesses of all kinds involve sensitive information especially those of customers. As information is usually gained from cyberspace, businesses are not really safe. If the information gets into the wrong hands, the cyber breach could cause catastrophic damage. Also, one small cyber breach on an Industrial Automation facility and production grinds to a halt.

Businesses lose thousands, if not millions of dollars when production stops.

In the last two years the rate of cyber crime has exceeded, and in 2015 alone, there were about 781 publicized security breaches that resulted in the exposure of over 169 million personal records.

Sadly, this number is increasing one year after another.

Such kind of attacks take place when there is a loophole in the techniques and measures adopted for cyber security. Big names like Target, Harvard, and BlueCross have also been a victim of cyber attacks which is proof that none of the big businesses are safe from this threat of getting attacked through cyber.

Over the last 2-3 years, the rate of cyber attack and cyber criminals are getting faster and better at figuring out the wormholes, and sadly this has made it difficult for the businesses to keep up. The conventional protective software has trouble keeping sensitive data secure.

So what to do? IT executives have come up with some innovative strategies that involve automation as a defense tool against such kind of cyber attack and breach of cyber security. Nowadays, the threats have increased, and the IT people are up against constant and persistent attacks and these threats are led by automated bots.

These are intensive attacks and humans cannot keep pace with some such threats, and it becomes difficult to take decisions that trigger the immediate effect. This is the leading cause of automation being incorporated in cyber security. Automation is not powerful but efficient as well.

At the same time, some concerns also surround the aspect of automation in cyber security like:

Lack of Trust: A highly skilled employee would feel capable of giving a response to cyber attack compared to a machine. Not being able to trust technology tends to be a significant obstacle that is difficult to handle with an increase in frequency and complexity.
Change: Another misconception is automation shall replace human workforce. Automation does play a major role in changing how people worked before, but it is creating opportunities for them as well.
To address these perceived shortcomings, there are some significant advantages:

Enhanced Efficiency: With the help of automation, the workflows become more uniformed and streamlined. And the organization becomes stronger regarding cyber security.
Fewer Errors: Majority of the renowned cyber breaches were caused by highly overworked individuals with no harmful intention. Even the experts of IT can make mistakes, but these could be massively damaging with automation, this problem can be eliminated by eradicating some or all of the human involvement.
Better Decisions: Automation allows industries to gather, analyze and prioritize sensitive information that boosts the threat detection and cyber attack management process.
Cyber Security should be the top-most priority of every business/industry leader as the average cost of a cyber attack ranges from $38,000 to staggering $400 billion!

The strategies need to be revised and audited properly to check their efficiency if the business is to keep from becoming the next target.

Automation is rising as an excellent tool for strengthening, boosting and streamlining the response processes to a better defense can be created.

#cybersecurity #security #privacy #tech #hacking #infosec #iot #DDoS #cyber

Pin It on Pinterest