How to be NIST Special Publication 800-171 Compliant
Because the US federal government is now outsourcing service providers to assist in carrying out a wide range of federal projects and business activities, using the federal government’s information system, and due to the sensitive information being used in the projects, the Department of Defense is now requiring service provider operators, contractors and subcontractors, dealing with Covered Defense Information (CDI) to take protective and preventive measures on their cyber security, such that the Defense Department requires that outsourced operators be NIST Special Publication 800-171 compliant as early or before December 31, 2017.
The Defense Department has created the NIST Special Publication 800-171, which is a general framework that outlines all information systems and policies being followed by the federal government, so that this framework provides the summary procedures of protecting what is known as the government’s Controlled Unclassified Information (CUI), which is a vital source data that is used by the federal government in its day-to-day operations and, therefore, must be complied with by outsourced service operators. Because outsourced service providers are given tasks that carry sensitive information by the federal government some of these are the following: processing, storing and transmitting of data information that involves the following services – financial, healthcare, cloud services, Web and electronic mail, security clearances with prior background investigations and even as serious an information as communications satellite and weapons system, it is important that they comply to the NIST Special Publication 800-171 requirement set up by the Defense Department.
To be NIST Special Publication 800-171 compliant, as a hired government contractor, you can either follow the step-by-step process requirements, using these procedures – gap analysis and providing an incident response plan, or hire a professional group to help you comply with the requirement.
The gap analysis is a security analysis which you need to work through all of the controls based on the NIST Special Publication 800-171 and check where your project and performance is compliant and where you have to put work on areas that need to comply and which involves discussing this with your staff, investigating on your network maps and configurations and comparing and checking with the compliance checklist, especially in the processing of Controlled Unclassified Information and other vital information specifically mentioned by NIST Special Publication 800-171. To be able to meet up with complying to the NIST Special Publication 800-171 requirement, as a government contractor handling sensitive information data, it is obligatory at your end to analyse the results of the gap analysis so that further changes may be introduced into securing or protecting the system from cyber intrusion or an insider investigation which can be prevented if you have introduced a two factor authentication process where there are no shared passwords, as well as coming up with an incident response plan in case of a cyber attack.