NIST 800-171 Compliance Can be Done Quickly!

by

NIST 800-171 Compliance actually means DFARS Cybersecurity requirements must be met.

The NIST 800-171  requirements have always vexed small manufacturers due to the specific wordiness, so the NIST (National Institute of Standards and Technology) has been trying to make this easier to understand with the following pdf: https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

This is an important paragraph: from pdf

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) executive Agent, designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are
necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA issued a final federal regulation in 2016 that established the required controls and markings for CUI government-wide. This federal regulation binds agencies throughout the
executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

 

So needless to say if you are a small manufacturer  and sell stuff to the US government you will have to be compliant  or else…. what is the or else?  I surmise the or else is pretty bad, since there has been plenty of time for you to get on board of this new initiative . Admittedly it has been a chore to get through the NIST 800-171  documents up to now.  As I have discussed in June on this site.

Like this for example:

There are many such points in the document,

Here is the full list of 14 points you have to work on:

14 controls have to be set up

  1. AC  – Access Control
  2. AT – Awareness & Training
  3. AU – Audit & accountability
  4. CM – Configuration Management
  5. IA – Identification and Authentication
  6. IR – Incident Response
  7. MA – Maintenance
  8. MP – Media Protection
  9. PS – Personnnel Security
  10. PP – Physical Security
  11. RA – Risk Assessments
  12. SA – Security Assessments
  13. SC – System & Communications protection
  14. SI – System & Information integrity

 

None of these points are actually brain surgery, where you need 10 plus years of training and schooling. In fact most of these your IT department can perform in their regular work. they just need support from above (i.e. resources).

The one point of audit and accountability the company itself cannot do it by itself effectively. As there is nothing like a person outside of the organization to have a point of view that can be fresh or at least without the company culture in mind.  which is what we do here at Fixvirus.com

So these 14 points should not dissuade you from becoming compliant, in fact even if you do not have multi-factor authentication(Identitification and Authentication), and it would take 6 months to implement, all you have to do is to create a POAM or  Plan of Action and Milestone.   So once you have writtenup proof or POAMs then you are compliant – easy.

This is how I can state that you can come into “compliance” with NIST 800-171 quickly.

Contact us to review and discuss .

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.