Preparing for NIST Special Publication 800-171Compliance
Because the US federal government is now outsourcing service providers to assist in carrying out a wide range of federal projects and business activities, using the federal government’s information system, and due to the sensitive information being used in the projects, the Department of Defense is now requiring service provider operators, contractors and subcontractors, dealing with Covered Defense Information (CDI) to take protective and preventive measures on their cyber security, such that the Defense Department requires that outsourced operators be NIST Special Publication 800-171 compliant as early or before December 31, 2017.
NIST Special Publication 800-171 is an outlined general procedure and information that delineates how information systems and policies are to be set-up and complied by service operators to protect government information, particularly called Controlled Unclassified Information (CUI), which can directly affect the normal activities of the federal government to successfully deliver its operations. Many delicate and routine processing works are being done by outsourced service providers for the federal government, such as the following: providing financial services, Web, electronic email, cloud services, background investigations for security clearances, processing healthcare and developing communications satellite systems and weapons systems, all of these are serious data information that must pass and comply through government security clearance by way of NIST Special Publication 800-171.
You lose your government contract if you do not comply with this requirement and this is why hired service operators are either hiring the services of expert contractors who have knowledge on NIST Special Publication 800-171 or they can do it on their own by following these recommendations: perform a gap analysis and establish an incident response plan.
By conducting a security analysis of your system processing, of which this is referred to as gap analysis, you need to check and go over all the control gaps of your network based on the policies of NIST Special Publication 800-171 and find out if your current projects and systems used comply and finding out which areas need to be compliant, such that in doing so you have to work this out with your staff by helping them investigate on the network map, as well as configurations, and thorough checking on the compliance checklist especially with respect to the processing treatment of Controlled Unclassified Information. It is important that you have a thorough gap analysis and report of the overall investigation of your system so that changes can be introduced such as a two factor authentication to make sure that there are no shared passwords and that an incident response plan will also be required which is providing solutions in situations when there is a cyber intrusion or when there is an insider investigation.