Proudly serving Virginia, Maryland and DC // Call us today! 703.396.6120
V2 SystemsV2 Systems
A Refresher on NIST 800-171

by Erik Briceno

In a recent article, we wrote about the new DFARS rule and the new NIST “scorecard” system that the rule includes. In order to reach a perfect “score” of 110, companies vying for a government contract need to meet every requirement outlined in NIST 800-171.

In the past few years, we’ve covered NIST guidelines at length. However, there have been quite a few changes since we last wrote about them. For that reason, we’re putting out a quick refresher on the subject for readers who are unfamiliar with NIST compliance, as well as sources for some of the more recent, important updates to NIST standards.

 

What is NIST?

Officially, the National Institute of Standards and Technology is a non-regulatory government agency that develops technology, metrics and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. As part of this effort, NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act, or FISMA. NIST also assists those agencies in protecting their information and information systems through cost-effective programs.

In a nutshell, NIST guidance provides a set of standards for recommended security controls for information systems at federal agencies. These standards are endorsed by the government, and companies comply with NIST standards because they encompass security best practices controls across a range of industries

 

Why comply with NIST?

The simplest answer is: You have to. Or rather, at least, if you plan on landing any sort of contract with the DoD, you need that all-important score of 110 on your NIST scorecard. But more than that, organizations of all types are increasingly subject to data theft and loss — whether the asset is customer information, intellectual property or sensitive company files.

IT is not security, and security is not IT. Information security is about trying to protect information, while IT is about information sharing. You must have IT, and you need security, otherwise you’re only doing half the job. It’s about finding the balance between the two. A comprehensive set of standards, methodologies, procedures and processes that align policy, business and technical approaches to address cyber risks is needed to protect both your organization and your customers. That’s where NIST comes in.

 

What are the latest NIST guidelines?

V2Systems NIST Recap Jan2021 Blog3 Pic2 1024x683 - A Refresher on NIST 800-171The original version of SP 800-171 first appeared in 2015 and provided 110 recommended requirements to ensure the confidentiality of Controlled Unclassified Information, or CUI, residing on the computers of contractors and other organizations that interact with the government. The original document, titled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, now has a new draft companion publication, NIST SP 800-171B, that offers additional recommendations for CUI in situations where that information runs a higher-than-usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names and Social Security numbers to critical defense information.

NIST requirements should be applied far beyond the world of government contracting — especially in critical infrastructure systems. By adopting the NIST framework, you are taking an incredibly important step toward securing not only your business, but the privacy and trust of all who do business with you. Contact us to ensure your organization is meeting those standards.

 

Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!

ebriceno
About ebriceno
Erik Briceño is the owner of V2 Systems, Inc., one of Northern Virginia’s leading Information Technology Managed Service Providers. He is an inspiring leader for its employees and instrumental business partner for its customers. He is passionate about V2’s purpose, dedicated to exceeding expectations and a consummate professional not afraid of jumping in and getting his hands dirty. Prior to joining V2 Systems in 2002, Erik was a co-founder and COO of Ampcast.com, a leading provider of online resources servicing over 5,000 independent musical artists. At Ampcast.com, Erik spearheaded all aspects of corporate development, funding, strategic vision, and business development for the firm. From 1997 to 1999 Erik held the position of Acoustic Systems Engineer for Electric Boat Corporation, a leading defense contractor. In this role, Erik was responsible for the acoustic fidelity of two noise critical systems and components in the US Navy’s nuclear submarine systems. Erik holds a B.S. in Mechanical Engineering from Vanderbilt University and a Masters of Business Administration from George Mason University. When not working, you will find Erik a dedicated family man, raising two young children with his lovely wife Karen. Together, they enjoy building legos, playing baseball, skiing, riding horses, swimming, traveling, and fixing up old Mopars.
A Refresher on NIST 800-171
A Refresher on NIST 800-171