Over the past three years, The National Institute of Standards and Technology defined 800-171 security requirements. These requirements were designed to protect Controlled Unclassified Information in Nonfederal information systems, as well as organizations.
When the DFAR (Defense Federal Acquisition Regulations) came out, most believed this mandate would finally create protection between government contractors who run the federal agencies to ensure that certain types of federal information are protected in any environment. The Department of Defense created milestones that each and every federal system integrator or contract holder must meet to uphold these requirements.
What are the 800-171 requirements?
There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests that affected programs must meet.- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Understanding What Is at Stake
There will be consequences for non-compliance, as not being able to conduct business with the federal government means large revenues lost and existing federal contracts being held at a standstill or withdrawn completely. As Beverly Cornelius points out in a blog on The State of Security, the following three things are inevitable:- Contract Termination. It is reasonable to expect that the U.S. government will terminate contracts with prime contractors over NIST 800-171 non-compliance since it constitutes a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant as a whole.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act, for it fits the definition of any act intended to deceive through a false representation of some fact resulting in the legal detriment of the person who relies upon the false information.
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).
Steps to Become Compliant
To become compliant, you can do the following things:- Make someone responsible for the efforts.
- Review your current outlook and what needs to be done.
- Contact an organisation that can help.
You can read three Tripwire use cases that higlight the following in federal agencies:
#1: Ensuring compliance and minimizing risk
#2: Automating manual tasks and enhancing breach detection
#3: Monitoring critical assets in the public cloud
Read more here: https://tripwire.me/2LdbfAR