DFARS. NIST. CMMC… Oh my!
Based on some confusing and potentially conflicting information we have found, we thought it was extremely important to clarify all expectations that the DoD has of its primes, subs and vendors.
From listening to podcasts, watching and attending webinars, completing official CMMC-AB training, and reading any and every publication and white paper we can get our hands on, one thing regarding cyber security is clear:
We do not say that to scare or alarm you. On the contrary, we want to empower and embolden you. We want our clients to have a competitive advantage in this ever-toughening DIB marketplace, and we do not want you to lose your contract. We also want to help keep not just YOU safe, but we also pride ourselves in the role we play in strengthening the national security of our great nation that we love so much. LEARN MORE ABOUT THE NEW DFARS Interim Rule here. Did you know that every prime, sub and vendor MUST upload an assessment onto the Supplier Performance Risk System (SPRS) by December 1, 2020 if they want to even be considered for a contract?
We hear this question asked so often by overwhelmed contractors like yourself that we created a free NIST/CMMC FREE Self-Assessment. With this assessment, there is NO right or wrong answer, but it will give you an idea as to where you currently stand. It is your FIRST STEP to NIST and CMMC compliance.
But let’s take a step back and get some perspective on what NIST SP 800-171 is and where it comes from!
The National Institute of Standards and Technology (NIST) has a deep-rooted history in the United States. Established in 1901 by the US Congress, the ongoing goal of NIST has been to promote the US economy by becoming an international leader in the development of measurements and standards. And they have largely succeeded (if you pointedly ignore the metric system, or lack thereof in the US).
Since its inception, it has maintained the same goal, but it has added to and expanded its objectives. In addition to promoting the US economy, NIST also issues and develops standards and guidelines that help protect sensitive information that is held within US federal agencies.
That’s great, but what does all this have to do with my business? Well, as you can imagine, government contractors play a large part in creating, transmitting and/or storing the sensitive “Controlled Unclassified Information” (CUI), which is simply any data and/or information used by US federal agencies. Which means that it has fallen on NIST’s shoulders to protect federal contractors and their supply chain. In fact, it has become a huge focus of NIST’s in the past few decades.
And for really good reason! Government contractors have been notoriously woefully lacking in data protection, it would be laughable if it wasn’t so potentially harmful to our national security… Especially in recent years, as hackers become more and more sophisticated while most contractors are lagging further and further behind.
It’s like being late to the train station because you were simply being lazy and not paying attention. You start running on the platform towards the train that is just leaving the station, and it’s going slow at first so you think MAYBE you can catch up, but the closer you get, the faster the train speeds away.
Or, in a lot of cases, it’s like you just stay on the couch eating potato chips and don’t even bother to get to the station, much less the platform.
OK, I get it. I’ve completely missed the cybersecurity train. Enough with the guilt, just help me understand more about NIST and how it relates to me. Fine, fine! So you understand why NIST was created and what its goals are, but how exactly does it reach its goals? It’s pretty simple, actually. They write and then they publish the writings.
NIST standards are now recognized as THE standard for best practices in cybersecurity. There are four different types of publications put out by NIST:
For your intents and purposes, all you need to worry about are the SPs. That being said, NIST has published a plethora of SP series:
Since you are now aware of what NIST is, and where NIST SP 800-171 came from, it’s time to get into the meat and potatoes of NIST SP 800-171. As mentioned above, it’s made up of 110 different security controls that are divided into 14 separate families. Those 14 families can be grouped into 4 main families:
We are telling you that because, instead of boring you with unoriginal content you can find with a simple NIST SP 800-171 Google search, we are going to talk to you about the four main groups.
NIST SP 800-171 Group 1: Controls
Control requirements regulate who can and can’t access CUI and how the data is handled by:
NIST SP 800-171 Group 2: Monitoring & Management
The group of security controls deals with how you monitor the CUI that you handle and how you manage your data and processes through:
NIST SP 800-171 Group 3: End-User Practices
Your employees are your biggest asset; but they can also be your biggest liability; afterall, phishing emails don’t click themselves. In order to mitigate the liability that is user error, you and your managers must:
NIST SP 800-171 Group 4: Security Measures
When someone thinks of “cybersecurity,” this is probably what they tend to think of. To be compliant with NIST SP 800-171 security measures, you must:
As you can probably imagine, NIST SP 800-171 is rather complex. While it may seem like more of a nuisance than anything else, it has a purpose: to protect our national security. It is huge and scary and hard to implement, but there is hope! Contact Petronella Technology Group today to get more information about keeping your CUI (and your contracts) safe and secure! 919-726-3235 or firstname.lastname@example.org
Sound cool? That’s just NIST Compliance! Take a look at what else we can help you with:
We are the ninjas of the cyber world, and we represent the perfect storm.
To speak to one of our experts, call 919-726-3235.
Option 1 for Thunder.
Option 2 for Lightning.
Or visit our store HERE