Author: Reggie Hall
Date: 20 July 2018
Is your business a hacker’s dream? While you may think you’re too small to catch the attention of hackers, the statistics tell a different story. In fact, according to Cybint, 43 percent of cyber-attacks target small business. Now more than ever, it’s important to fortify your cybersecurity defense to withstand cyberattacks.
As a security benchmark used by the civilian US government and Department of Defense, NIST compliance is a critical issue for small businesses. Haight Bey and Associates offers NIST 800-171 compliance assessments to help companies better understand where they are in the compliance journey and the steps they need to take to meet their compliance requirements.
If you think a bare bones cybersecurity solution is adequate, think again, because there’s a new cyber sheriff in town; the Defense Contract Management Agency Quality Assurance Specialists.
During one of our recent assessments, a client mentioned that a DCMA Quality Assurance Specialist dropped off a contract clause checklist detailing their DFARS compliance. The checklist covered the disclosure, safeguarding, and reporting of cybersecurity incidents. All organizations that process Controlled Unclassified Information (CUI) are subject to the same NIST SP 800-171 compliance requirements and should be prepared for a DCMA Quality Assurance Specialist visit.
What are the NIST SP 800-171 Requirements?
(1) The Contractor shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Government’s activities related to clause 252.204-7012, and shall not be used for any other purpose.
(2) The Contractor shall protect the information against unauthorized release or disclosure.
(3) The Contractor shall ensure that its employees are subject to use and non-disclosure obligations consistent with this clause prior to the employees being provided access to or use of the information.
(4) The third-party contractor that reported the cyber incident is a third-party beneficiary of the non-disclosure agreement between the Government and Contractor, as required by paragraph (b)(3) of this clause.
(5) A breach of these obligations or restrictions may subject the Contractor to –
i) Criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United Stands; and
ii) Civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third party beneficiary of the clause.
(c) Subcontracts. The Contractor shall include this clause, including this paragraph (c), in subcontracts, or similar contractual instruments, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial items, without alteration, except to identify the parties.
NIST SP 800-171 provides detailed lists of security requirements contractors need to employ to meet the standards. Following is a list of the requirement “families”:
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
DFARS Cybersecurity Compliance means “implementing” 3 things:
- Develop and Approve a 800-171-based System Security Plan (SSP)
- Develop and Execute a Plan of Action and Milestones (POA&M)
- Develop and Implement a Cyber Incident Reporting Capability
Our cyber security experts at Haight Bey can help with all three.
Feeling Overwhelmed? Don’t Panic! Let Haight Bey Help
When it comes to addressing NIST compliance, a knowledgeable IT manager doesn’t cut it. It’s a huge undertaking, requiring a specialized toolkit and step-by-step guidance. Our military-grade cybersecurity compliance solutions are built with small businesses in mind, so you can rest assured that we’ll help you meet the compliance requirements in the least painful, most affordable way.
Don’t settle for bare minimum compliance, or worse, don’t stick your head in the sand and leave yourself vulnerable to cyber-attacks and data breaches. If your organization is subject to NIST SP 800-171 requirements, call us to set up an appointment to discuss a security assessment. We are based in Utah, but we are capable of and willing to provide our services anywhere in the world. Contact us today to receive a free estimate. Remember, a strong defense is a winning strategy!