So You Missed the NIST 800-171 Deadline: Now What?
If you're a supplier, contractor or subcontractor with the federal government, you or your colleagues have no doubt heard of NIST 800-171. If you haven't, check out "Everything You Need to Know About NIST 800-171." for all of the details, and how it may affect your business contracts.
Just want a quick refresher? Officially, NIST 800-171 is known as the "National Institute of Standards and Technology Special Publication 800-171." In the wake of several serious data breaches at federal institutions, including the U.S. Postal Service and the National Oceanic and Atmospheric Administration, the federal government took action in order to improve data security and protect sensitive information.
The guidelines laid out in NIST 800-171 cover the use of Controlled Unclassified Information (CUI) by partners of the federal government. CUI is defined as "information that requires safeguarding or dissemination controls," despite not being sensitive enough to classify.
What you might not have heard, however, is that a revised set of rules regarding NIST 800-171 compliance has just taken effect at the beginning of this year — and you could be risking your hard-earned contracts if you fail to cooperate. Matt Kozloski, our Vice President of Professional Services, spoke about these difficulties in a recent interview with IndustryWeek. Below, we'll go over what you need to know in order to satisfy the new requirements related to NIST 800-171 compliance and avoid the ramifications of non-compliance.
Who Needs to Comply With NIST 800-171?
Simply put, any organization that handles or processes CUI from the federal government must comply with the standards set forth in NIST 800-171. This includes a wide range of companies and institutions: universities and research laboratories, manufacturers, defense contractors, consulting firms and more.
Even if your organization is a subcontractor that lacks a direct relationship with the federal government, NIST 800-171 compliance is required if you interact with or handle CUI in the course of your work. The government explicitly informs contractors about these obligations, and any subcontractors are usually made aware of the NIST 800-171 requirements when signing an agreement with the contractor.
The Consequences of NIST 800-171 Non-Compliance
Since NIST is a non-regulatory agency of the federal government, it doesn't have the same auditing power as an organization like the IRS. However, the consequences of non-compliance could still seriously impact your reputation and your business’s bottom line.
For example, if your non-compliance is revealed in the course of a NIST 800-171 audit, you may lose existing contracts as a result, since they may include a clause that requires you to comply with it. What's more, even without a formal audit, federal officers or prime contractors can put you on the spot at any time by asking about your NIST 800-171 implementation status or plans.
Once you've become known for non-compliance, that kind of reputation will travel with you. Business partners will be contractually obligated to avoid working with organizations that can't prove their NIST 800-171 compliance, and may require concrete, independently researched evidence from their vendors and subcontractors. You may be barred from taking on federal contracts with government agencies like the Department of Defense (DOD) or the General Services Administration (GSA) until you can show that you're either compliant or endeavoring to become compliant.
What Can You Do to Move Toward Compliance?
The first step to moving toward NIST 800-171 compliance is identifying your areas of non-compliance. There are 14 key areas of NIST 800-171, ranging from identification and authentication to incident response.
Next, you should progress from identifying these gaps and shortcomings to creating a plan of action. The U.S. Office of the Undersecretary of Defense doesn't prescribe a certain way of implementing the NIST 800-171 guidelines or assessing compliance, but it does provide some suggestions and guidance.
Even though the December 31, 2017 deadline has already passed, organizations can still move toward becoming compliant with NIST 800-171 by writing a System Security Plan (SSP). This document compares your IT security situation with the 110 security requirements that are outlined in NIST 800-171. It discusses important information such as how your IT environment is set up, how you implement requirements, and how you interface with other systems.
In addition to the SSP, you should also write a Plan of Action document. The PoA should identify the requirements that you've already fulfilled and explicitly describe how you plan to fulfill the remaining requirements.
The final step, of course, is to turn your plans into reality by implementing the guidelines within NIST 800-171. With more than 100 criteria to fulfill, it may take you months just to find all of the gaps and vulnerabilities, let alone to address them. However, this level of diligence is necessary to make sure that you protect yourself from the potential consequences of non-compliance.
Despite missing the NIST 800-171 compliance deadline, there's no need for you to panic just yet. By carefully assessing your current IT security stance, identifying problems and working to fix them, you'll be demonstrating a good-faith effort that you plan to align your business with the NIST 800-171 requirements. Start the path to compliance today by taking our NIST 800-171 self-assessment quiz.