In a recent article, we wrote about the new DFARS rule and the new NIST “scorecard” system that the rule includes. In order to reach a perfect “score” of 110, companies vying for a government contract need to meet every requirement outlined in NIST 800-171.
In the past few years, we’ve covered NIST guidelines at length. However, there have been quite a few changes since we last wrote about them. For that reason, we’re putting out a quick refresher on the subject for readers who are unfamiliar with NIST compliance, as well as sources for some of the more recent, important updates to NIST standards.
What is NIST?
Officially, the National Institute of Standards and Technology is a non-regulatory government agency that develops technology, metrics and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. As part of this effort, NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act, or FISMA. NIST also assists those agencies in protecting their information and information systems through cost-effective programs.
In a nutshell, NIST guidance provides a set of standards for recommended security controls for information systems at federal agencies. These standards are endorsed by the government, and companies comply with NIST standards because they encompass security best practices controls across a range of industries
Why comply with NIST?
The simplest answer is: You have to. Or rather, at least, if you plan on landing any sort of contract with the DoD, you need that all-important score of 110 on your NIST scorecard. But more than that, organizations of all types are increasingly subject to data theft and loss — whether the asset is customer information, intellectual property or sensitive company files.
IT is not security, and security is not IT. Information security is about trying to protect information, while IT is about information sharing. You must have IT, and you need security, otherwise you’re only doing half the job. It’s about finding the balance between the two. A comprehensive set of standards, methodologies, procedures and processes that align policy, business and technical approaches to address cyber risks is needed to protect both your organization and your customers. That’s where NIST comes in.
What are the latest NIST guidelines?
The original version of SP 800-171 first appeared in 2015 and provided 110 recommended requirements to ensure the confidentiality of Controlled Unclassified Information, or CUI, residing on the computers of contractors and other organizations that interact with the government. The original document, titled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, now has a new draft companion publication, NIST SP 800-171B, that offers additional recommendations for CUI in situations where that information runs a higher-than-usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names and Social Security numbers to critical defense information.
NIST requirements should be applied far beyond the world of government contracting — especially in critical infrastructure systems. By adopting the NIST framework, you are taking an incredibly important step toward securing not only your business, but the privacy and trust of all who do business with you. Contact us to ensure your organization is meeting those standards.
Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!