For government contractors working with agencies that handle highly sensitive data, your organization will almost certainly have had to ensure NIST 800-171 compliance in the past. But moving forward all organizations that provide services to the Department of Defense (DoD) will be required to meet the standards of the Cybersecurity Maturity Model Certification (CMMC). Below find out some steps you can take to begin preparing for your upcoming CMMC audit.
There’s a lot that goes into meeting the appropriate standards for NIST 800-171, and plenty of risks associated with a lack of compliance. So, how do you know if you’re compliant?
What is NIST 800-171?
NIST 800-171 is a set of standards created and published by the National Institute of Standards and Technology (NIST), a government agency formed in 1901. NIST has produced thousands of standards and special publications over the years. NIST 800-171 is simply one of the special publications it’s created – and it’s the one that specifically relates to government contractors’ compliance.
NIST 800-171 outlines any non-federal computer system dealing with Controlled Unclassified Information (CUI) that needs to store, process, or transmit the data properly. CUI refers to information that is not strictly regulated by the government – it’s technically ‘unclassified’ – but still regarded as potentially sensitive because of its relationship to a federal agency.
The NIST Framework includes five key elements:
- Identifying methods to manage cybersecurity risk to systems, assets, data, and capabilities
- Protecting CSI by using the appropriate safeguards
- Detecting the threats through monitoring and other actions
- Responding to a cybersecurity event effectively
- Recovering any capabilities or services impaired as the result of a cybersecurity event
It was created in 2003 after the Federal Information Security Management Act was passed in 2002. The idea behind NIST 800-171 is to improve cyber hygiene by establishing a consistent set of guidelines for protecting unclassified government agency information.
At the end of 2017, new compliance rules were released. The revised standards apply to a handful of government agencies, including the Department of Defense (DoD), NASA, and the General Services Administration (GSA).
Federal contractors working for any of these agencies are required to assess and document how they handle CUI. The documentation should include several factors, including:
- How your networks are configured
- How employees are trained with protecting CUI
- How physical hardware is protected
- How media is protected
What is CMMC compliance?
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), including over 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems.
Previously, contractors were responsible for implementing, monitoring, and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems.
Contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC changes this by requiring third-party assessments of contractors’ compliance with certain mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats from adversaries.
CMMC certification will soon be a minimum requirement to be eligible for DoD contract awards, but this does not mean that contractors should view their cyber-compliance as “complete” once certification is achieved.
Contractors that foster a culture of cyber resiliency and flexibility within their organizations, in addition to obtaining CMMC certification, will be best positioned to compete in a marketplace that is less tolerant of accepting cyber-related risks.
Why does it matter?
Cybersecurity is at the forefront of most businesses’ minds. For the government sector, it’s even more pressing. Federal agencies have to worry about hackers trying to steal data or compromise a network for financial gain. They also have to protect against cyber warfare attacks – nefarious actions taken by terrorist groups, criminal organizations, and nation-states.
The United States federal government is a prime target for all types of cyberattacks. In 2018, the US was impacted by cybercrime more than any other country and faced costs of over 13.7 billion as a result. The US also spends billions every year to guard against cyber threats – the proposed budget for 2021 is 18.78 billion.
CMMC matters because it can help to safeguard unclassified yet sensitive information. The reality is, data breaches in the government sector are all too common. By enacting these standards, it’s more difficult for hackers to penetrate government systems.
What happens to government contractors who fail to meet compliance regulations?
Failing to meet these compliance regulations can result in reputation damage and difficulty getting future contracts. If your organization has shown that it can’t provide adequate security, government agencies won’t trust their information with your organization.
How can you ensure your organization is compliant?
The reality is, handling every nuance of CMMC is time-consuming. It can also be challenging if you don’t have cybersecurity experts on your team. To ensure your organization is compliant, partner with an IT services provider specializing in compliance for federal contractors.