What Is NIST? Why Do You Need To Comply?
If you’ve heard about NIST compliance but aren’t exactly sure what it is, or even if it applies to you, check out our video for a brief walkthrough of the basics you need to know.
The US Council of Economic Advisors estimates that malicious cyber activity costs the U.S. economy at least $57 billion on an annual basis. That’s why every organization should follow NIST as a minimum cybersecurity standard.
Do you know what that means?
It’s OK if you don’t — check out our latest video to discover the basics of NIST compliance:
What Is NIST?
The National Institute of Standards and Technology (NIST) was founded in 1901 by Congress to remove obstacles in US manufacturing competition. It intersects with business cybersecurity when it comes to NIST Special Publication 800 – 171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.””
In 2016, NIST released NIST 800 – 171 to provide a cybersecurity framework that protects data not covered under a “Classified” label, but which still could prove dangerous for American interests should it be obtained by an adversary.
With NIST 800 – 171, it’s the contractor’s responsibility to safeguard all data and information related to any work performed for the DoD, including:
- Information that would be described as controlled unclassified information (CUI)
- Covered defense information (CDI)
What is CUI?
CUI is information created by the government or on behalf of the government that needs to be safeguarded. All government contractors are required by the government to follow the security guidelines to ensure adequate security by implementing NIST SP 800 – 171.
“CUI is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or Government-wide policy, as listed in the CUI Registry by the National Archives and Records Administration (NARA).”
What is CDI?
The Department of Defense (DoD) uses the term Covered Defense Information (CDI) for its own coordinating rules for cybersecurity. It is the security of contractor information systems that store, process or transmit Federal contract information.
The Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules apply to Covered Defense Information (CDI). DFARS supplies a set of “basic” security controls for contractor information systems where this information is stored. These security controls must be executed at both the contractor and subcontractor levels. It is based on the information security guidance in NIST Special Publication 800-171.
Why Do You Need To Be Compliant With NIST?
While there aren’t specific fines associated with NIST non-compliance, that doesn’t mean there won’t be consequences. If you’re not compliant, you’re technically no longer qualified to contract with the DoD — no matter which contracts you have in place or the professional relationships you’ve built over the years.
If you are under contract and are found to be non-compliant, and without having submitted variance requests or plans of action to fix noncompliance, then you would be in breach of contract, leading to monetary damages.
Furthermore, if compliance with NIST 800-171 was an evaluation factor in your contract, then noncompliance could lead to grounds for protest. You could even be found guilty for criminal fraud if you’re claiming to be NIST compliant, but it can be proven you weren’t and that you knew you weren’t.
Long story short — failing to be NIST compliant could lead to millions in lost revenue, reputational damage with governmental contacts, and even criminal charges.
What Does NIST Compliance Mean For You?
The minimum cybersecurity standards are described in NIST Special Publication 800-171 and broken down into fourteen areas:
- Access Control: You must limit system access to authorized users.
- Awareness & Training: You are required to promote awareness of the security risks associated with users’ activities, train them on applicable policies, standards and procedures, and ensure they are trained to carry out their duties.
- Audit & Accountability: You must create, protect, retain and review all system logs.
- Configuration Management: You are required to create baseline configurations and utilize change management processes.
- Identification & Authentication: You must authenticate information systems, users, and devices.
- Incident Response: You’re required to develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
- Maintenance: You must perform timely maintenance of your information systems.
- Media Protection: You must protect, sanitize and destroy media containing CUI.
- Personnel Security: You’re required to screen individuals before authorizing their access to information systems, and ensure these systems remain secure upon the termination or transfer of individuals.
- Physical Protection: You must limit physical access to and protect and monitor your physical facility and support infrastructure that houses your information systems.
- Risk Assessment: You are required to assess the operational risk associated with processing, storage, and transmission of CUI.
- Security Assessment: You must periodically assess, monitor and correct deficiencies and reduce or eliminate vulnerabilities in your organizational information systems.
- System & Communications Protections: You must monitor, control and protect data at the boundaries of your system, employ architectural designs, software development techniques and system engineering principles that promote effective information security.
- Protection System & Information Integrity: You’re required to identify, report and correct information and any flaws in your information in a timely manner. You must also protect your information systems from malicious code at appropriate locations, and monitor information security alerts and advisories so you can take appropriate actions.
Advantage Industries Will Guide You Through NIST Compliance
Not sure where to begin with NIST compliance?
Our team can help — we offer compliance as a service, a process minimizes upfront costs and allows for the highest level of cyber-security with a budget that is easily managed monthly.
Here’s how to get started:
- Book a free NIST compliance consultation at a time that works for you.
- Our team will evaluate your current compliance.
- Our team will make recommendations, and, per your approval, implement them to bring you to a state of confident compliance.
Advantage Industries is a Managed Security Service Provider (MSSP) providing practical networking and software solutions, as well as web site and application creation services. For nearly two decades, Advantage has worked collaboratively with hundreds of clients in understanding complex business processes, identifying needs, and providing recommendations tied with sound technology solutions custom-tailored to their business.