Small businesses looking to work in some form on government contracts need to understand what is takes to be in compliance with the cybersecurity controls issued by the National Institute of Standards and Technology (NIST). In addition, to opening up their businesses to a wide range of government work, companies that are in compliance with NIST controls will prove that they are at a high level of cybersecurity and will also position themselves well to follow even more advanced standards such as the Cybersecurity Maturity Model Certification (CMMC).
The federal government has markedly increased its attention to cybersecurity issues after numerous breaches, disruptions, and intellectual property threats affecting sensitive data along with the enhanced cyberattack activity during the pandemic. As a result, it makes sense for small businesses looking to work on government contracts to take the necessary actions to achieve NIST compliance.
NIST is one of the nation’s oldest and most respected physical science laboratories and is a part of the U.S. Department of Commerce. One of their main functions is to develop and issue standards, guidelines, and other publications that will help to protect the information and information systems of federal agencies. IT security, compliance, and risk management professionals from all industries consider the guidance and resources NIST provides as a standard for best practices.
Over the last 30 years, NIST has been the major driver behind federal government IT security initiatives and its standards. Its influence is also clearly demonstrated in the more advanced standards just starting to be required through CMMC, which uses the NIST framework in its formulation.
In addition, the NIST security requirements and controls provide the necessary safeguards for federal information and systems that are covered under the Federal Information Security Modernization Act of 2014 (FISMA). In many cases, complying with NIST guidelines and recommendations will also help organizations ensure compliance with other important regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX).
Importance of NIST for Small Businesses
The two NIST security mandates that are most relevant to businesses are NIST Special Publication 800-53 and NIST Special Publication 800-171. NIST 800-53 is the more established, and comprehensive set of IT security standards that prime contractors with the DoD and other federal agencies have long been following, while NIST 800-171 also relates to subcontractors. NIST 800-171 was introduced in 2017, with important revisions in 2020, and details the security compliance requirements for any company that processes, stores, or transmits potentially sensitive information for the DoD, General Services Administration (GSA), and other federal and state agencies. For the first time via NIST 800-171, IT security compliance requirements apply to any companies working in the federal supply chain including prime contractors, subcontractors supporting prime contractors, and subcontractors working for other subcontractors.
NIST 800-171 focuses on providing guidance on the protection of Controlled Unclassified Information (CUI). CUI is any information that is created by the government, or by an entity on behalf of the government, which is unclassified but still needs to be protected.
Importantly, if your small business is unable to demonstrate compliance with NIST 800-171, then you will not be eligible to participate in the multitude of government contracts that require it. In short, by understanding the importance of NIST and taking the actions to achieve compliance, your company can open the door to a huge amount of new business.
Methods to Meet Compliance Requirements
NIST guidance allows companies to demonstrate compliance by one of three methods:
- Using an outside qualified vendor to conduct an NIST 800-171 IT security assessment.
- Performing an approved self-assessment and providing self-attestation.
- Combining these two methods in some way in an acceptable hybrid assessment process.
Subcontractors are required to demonstrate proof of their satisfactory IT security assessments to the prime contractor on the government contract. The prime contractors are ultimately responsible for proving to their government customer that all contractors and subcontractors involved in their project are in compliance with NIST.
Tasks Needed to Prepare for and Pass an NIST 800-171 IT Security Assessment
We have provided a list below of some of the tasks needed to prepare for and pass an IT security assessment. This will give your company an idea of the amount of effort it will take to complete this important process. One simple rule we recommend companies follow is to ensure that they provide the proper amount of time and resources needed to carry out this comprehensive process.
- Determine if your network receives, processes, stores, and /or transmits CUI for the DoD or other relevant government agencies and then comprehensively catalog the relevant components and subcomponents involved with CUI.
- Describe if and how the components working with CUI are separated from the rest of your network.
- List the types of CUI and the employees who have access to the information.
- Provide the content of existing system security plans and policies such as an Incident Response Plan, Configuration Management Plan, Network Monitoring Plan, Acceptable Use Policy, as well as service level agreements with IT vendors and cloud service providers.
- Prepare lists of hardware, software, and firmware, and gather any existing network architecture and facility diagrams.
- Gather results from any previous security assessments, audits, or penetration tests.
- Design a comprehensive schedule of meetings for IT staff and relevant personnel to plan and prepare for this IT security assessment as well as to execute the necessary tasks.
- Provide designated IT security points of contacts and thoroughly train all employees.
- Most importantly, work closely with a trusted IT Support partner throughout the entire process, as discussed in the next section.
Consult with an IT Security and Compliance Expert about NIST Compliance
If your company or organization wants to work in any way on contracts with the DoD or with many other federal and state government agencies, you will need to demonstrate compliance with NIST 800-171. We recommend that you work with an expert in IT security and compliance requirements, such as Network Depot, in order to successfully navigate this complicated process and prepare your company to meet all cybersecurity challenges. With the help of a trusted IT partner, your organization will fulfill NIST compliance requirements and be able to work effectively and securely on government contracts.