NIST 800-171 Compliance – Now What?

We are entering the fifth month since the NIST 800-171 guidelines went into effect but there is still a large amount of businesses that haven’t taken the necessary steps to achieve compliance. The reasons seem to range from a lack of understanding of how these guidelines affect their businesses to doubts on how the government will enforce these rules. The first aspect of these concerns will be addressed in the upcoming NIST SP 800-171A, which is expected to come out within the next couple of months.

NIST 800-171A (A stands for Assessment) is a revision to the original guidelines expected to minimize the amount of confusion or ambiguities that individuals and organizations have already expressed in the process of achieving compliance. This revision will be a more template-like document that will aid contractors gain a better understanding of the requirements.

Meanwhile, large prime contractors are getting nervous at the sight of noncompliance by smaller subcontractors given that it increases not only the cybersecurity risk footprint to their companies, but it also expands the risk of having to terminate key providers due to the subs’ noncompliance. NIST 800-171 provides guidance to federal government contractors on how to work towards achieving compliance but it doesn’t really introduce any other layer of compliance surveillance because no official certification process is required. This, in turn, has allowed contractors to not take the guidelines seriously or to act as if noncompliance is an option. The fact of the matter is that, even though the government is relying on the so called “honor system”, there is still plenty of documentation needed to demonstrate the contractor’s due diligence process.

What can we expect in the next couple of months?

Most contracts will start integrating NIST 800-171 compliance requirements that will undoubtfully flow down to lower-tier subcontractors. As a result, we might start seeing small businesses lose their opportunity to perform if the prime can’t receive reasonable assurance that their subs are in compliance with NIST guidelines. Ultimately, prime contractors will not risk losing a big contract given the subs’ noncompliance with NIST 800-171.

Why is compliance with NIST 800-171 so important?

The answer is simple: by being compliant you lower any cybersecurity risks affecting your company. But you can also view it as an investment strategy for small businesses; by being compliant your company will have an advantage against other small businesses in negotiating with a prime contractor. Again, there is no certification for this initiative, but showing your due diligence to a prime contractor will put you in a better position than any other non-complying businesses.

What processes are needed to achieve compliance?

NIST SP 800-171 is basically designed to self-assess an organization, but it doesn’t define how to get where you need to be. There’s no “one size fits all” solution as there are many factors that may affect the risk towards compliance, such as: company size (e.g. annual revenue and headcount), types of information systems used, current state of compliance, and your company’s budget, among others. However, there are a number steps that you can take in the right direction. For starters, a gap analysis is recommended to see where the company stands relative to the guidelines. Also, the creation of a System Security Plan (SSP) is a solid start because in essence the SSP is the ultimate proof that shows the company’s security posture.

At fuxebox, we offer a wide range of options when it comes to cybersecurity and government regulations. From training, NIST SP 800-171 self-compliance guidance, to full compliance implementations, our team of experts can help you choose the best path for your business. Let us help unlock your business’ full potential. We invite you to contact us for a professional assessment.