As a DoD contractor, you are on the frontlines of cyberwarfare. Your access to Controlled Unclassified Information makes your business a target for criminals, terrorists, and adversarial nations. These entities frequently engage in cyberattacks in order to achieve financial gains and strategic advantages. Not only is this an immediate risk to your operations, interests, and employees, it could also jeopardize your future as a participant within the Defense Industrial Base.
As a contractor with the Department of Defense, you are bound by the regulations outlined in the Defense Federal Acquisition Regulation Supplement. In order to fulfill your contracts, and qualify for new ones in the future, you must act in accordance with the cybersecurity clause of the DFARS. In order to ensure that DIB contractors are clear about the expectations that the DoD has put forth, the DFARS utilizes a document called NIST 800-171.
National Institute of Standards and Technology Special Publication 800-171 is the most important document to your business’ cybersecurity network. The Department of Defense uses this document as the foundation of how your systems are to be configured. It also includes the correct practices for responding to threats and performing maintenance. NIST 800-171 compliance requires you to adhere to 110 standards organized across 14 categories. While all 14 categories will not be explored here, the examples listed are among the most essential to healthy cybersecurity.
Preventing a cyberattack is a far easier task than responding to one. For that reason, 22 of the 110 requirements detailed in NIST 800-171 are devoted to ensuring that only authorized individuals have access to your systems. The category of access control is arguably the most critical, as it includes more standards than any of the other categories.
Protecting Your Systems and Communications
DFARS was drafted in large part to better protect Classified Uncontrolled Information or CUI. The NIST guidance on systems and requirements is particularly suited to achieve this goal. Made up of 16 requirements, this category provides guidance on controlling the flow of information within your network and keeping it safe from attackers. The necessary cryptography protections you will need to implement are also outlined in this category.
Identification and Authentication
The NIST 800-171 supplement lists 11 requirements for managing the password and verification apparatus for employees using your networks. This measure is important because it creates a hierarchy of users in order to control who is able to access information. This category will help you ensure that your systems are protected from any potential internal threats.
While this list is only a portion of what you’ll need to comply with, it will give you a good idea of what to expect. NIST 800-171 compliance is an ongoing measure for your business. In order for your contract to be in good standing, you’ll need to be compliant with all 110 requirements at all times. If you are concerned about your ability to keep your cybersecurity network up to speed, contacting a compliance management professional is a wonderful investment. An experienced compliance manager will be able to evaluate the current health of your network. If your network needs improvement they can advise you on what needs to be done and how to make improvements efficiently. Working with a compliance professional is an investment in safety and profitability. It’s a great way to effectively protect your business from liability and compromise, while also ensuring that you remain in good standing with the Department of Defense. Even if it’s for a routine evaluation of your current cybersecurity network, developing a relationship with a compliance management service is a good idea.