Avoid These NIST Compliance Problems
Why Do I Need NIST 800-171 Compliance?
Small businesses that provide contractors to the Federal Government must implement the controls and safeguards of NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The National Institute of Standards and Technology requirements protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations. For federal contractors, failure to meet NIST standards will result losing your government contracts. Currently, this requirement applies to security contractors who do contract work for the Department of Defense (DOD) or the Intelligence Community (IC), but it is expected that by 2019 the civilian agencies and commercial contractors will also require proof of compliance with NIST 800-171.
The Government’s concern is that security contractors could have their personal information compromised because of weak cybersecurity and physical security controls at the business location. Assessor companies fill cyber security news with their single solutions to solve the requirements of the NIST framework. However, this simply is not the case for achieving NIST SP 800-171 compliance.
Avoid Buyer's Regret
Some applications solve a family of controls, but no single application satisfies all NIST framework requirements. Also, small companies need to avoid buying a solution that requires extensive training of the company staff. In numerous cases, the government suffered “buyer’s regret” because a proposed solution was not suitable. Don’t let this happen to you. So, how do you get the assessment you need without committing to expensive solutions that you don’t need?
Understand Your Cybersecurity Needs
There are numerous companies that state their “solution” can make your company security policy NIST 800-171 compliant. These are solution companies looking for a problem. And while these solutions may solve several security requirements, they may be overkill for the deficiencies within your organization. Stay away from solution providers until you have a clear understanding of your environment and any physical or cyber deficiencies you have.
Can You Safely Self Assess NIST Standards?
Many small businesses that provide contract work to the Federal Government have limited security expertise in-house. As such, the first questions to ask is, “Do we have in-house expertise that understands the requirements of NIST 800-171?” If the answer is “no,” then avoid any company that allows you to self assess with their software. They are setting you up for failure. Having access to a software compiler does not make a person a software engineer; similarly, having access to security assessment software does not make a person a security assessor. If your company does not have several employees with a Certified Information System Security Professional (CISSP) or Certified Information Security Auditor (CISA) certification, then you need to hire a company that will guide you through the process.
Select The Most Qualified Company
Assure the following when selecting the company to perform an assessment.
- The person leading the assessment is certified.
- The company will provide training on what the assessment is and what the final Authority to Operate (ATO) means.
- The results of the assessment provide the bodies of evidence to show the assessment followed the cyber security risk management framework. This body of evidence includes, the System Security Plan (SSP), Security Test and Evaluation Plan (ST&E), Risk Assessment Report (RAR), Security Assessment Report (SAR), Plan of Actions and Milestones (POA&M), Certification Statement, and Authorization letter.
Implement Cost-Effective Controls
A key element of NIST SP 800-171 is that the standard allows the organization to implement cost-effective controls. While a two-factor authentication may be the best solution, a procedure that simply requires a complex password changed periodically may be adequate and a lot less expensive.
Why ASCERTIS Solutions Fits Your Needs
With ASCERTIS Solutions, your company receives a good/better/best menu of controls that meet the key requirement of the controls. The description of the control is stated in plain English so that a non-security executive of the company can understand the requirements. The independent assessor (certifier) starts out by explaining the role of the Authorizing Official (usually the CEO or the CISO) in the process as well as the timeline to conduct the initial assessment. The application is designed so that a typical small company (75 to 150 employees) can complete an assessment in less than a week.
This demo video will explain the user-friendly approach of ASCERTIS Solutions.