If you wait to become 800-171 compliant, you won’t win contracts. That was the message we wanted to make loud and clear to over 200 federal contractors during last week’s Washington Technology (WT) webcast, Inside NIST 800-171: Cyber Requirements and the Risk of Non-Compliance. Currently, all DoD contractors that handle, process or store sensitive types of government information must comply with the security controls described in NIST 800-171, and soon, civilian contractors will have to do the same. The webcast topic was inspired by a Tripwire-authored article series published in WT last year that encouraged federal contractors to take the NIST 800-171 mandate seriously and provided steps to achieve compliance. Since the DoD mandate took effect in December 2017, a number of companies have been doing the right things to ensure their internal infrastructure meets 800-171 requirements, but most have not. A strong indicator of this is the fact that DoD systems managed by contractors continue to be hacked as a result of a lack of the most basic controls. In the webcast, we were able to share our experience assisting customers in their efforts to become compliant. The agenda covered:
- NIST 800-171: Mandate review/timeline
- Implications: Both DoD and civilian
- Consequences of non-compliance (known and unknown)
- Reasonable/affordable steps toward compliance
- NIST moved up the release date on the initial public draft of SP 800-171, Revision 2. According to Ron Ross of NIST, revisions will include enhanced security requirements that promote penetration-resistant architectures, designing for cyber resiliency and survivability, and damage limiting operations.
- In June of 2018, the DoD Inspector General announced its launch of an initiative that aims to audit DoD contractors to determine if they have security controls in place to protect CUI.