Cyber Security
The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops technology, metrics and standards to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. NIST provides standards and guidelines for the Federal Information Security Management Act (FISMA), which is a comprehensive framework to protect government information, operations and assets against natural or man-made threats.
In 2015, the U. S. Department of Defense (DoD) published an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) giving government contractors a deadline to implement the requirements of the NIST Special Publication (SP) 800-171. Any organization that processes, stores, or transmits Controlled Unclassified Information (CUI), which includes engineers, tests, and manufactures products directly or indirectly must comply.
The NIST 800-171 standards are based on best practices for a good data security plan, outlined into 14 categories. Maintaining a plan to cover the 14 categories will keep a contractor in good standing. Once that initial base line is achieved, a system can be continuously improved.
- Access Control
- Media Protection
- Awareness and training
- Personnel Security
- Audit and Accountability
- Physical Protection
- Configuration Management
- Risk Assessment
- Identification and Authentication
- Security Assessment
- Incident Response
- Systems and Communications Protection
- Maintenance
- System and Information Integrity
Security and data protection are ever evolving.
Below, NAMC has provided useful links to assist with NIST SP 800-171 compliance.
- National Archives Website discussing CUI Policy
- Executive Order Regarding CUI
- CUI Implementing Regulation
- Charter for the CUI Advisory Council
- Protecting CUI in Nonfederal Systems and Organizations
- Marking CUI Version 1.1
- DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
- NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS
- USD Memo RE: Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented
- Under Secretary of Defense for Acquisition, Tech, and Logistics. Guidance for Assessing Compliance of and Enhancing Protections for a Contractor's Internal Unclassified Information System
- Industry article from "The Business of Federal Technology," "7 Steps for getting right with NIST 800-171" by Izak Bove