Whenever the government comes up with new compliance regulations, it becomes a headache for businesses, especially small ones, to oblige in a timely manner. Fortunately, NIST 800-171 isn’t too complicated to comply with.
Fundamentally, Department of Defense (DOD) wants businesses who are dealing with Covered Defense Information (CDI) to take their IT and online security seriously. This regulation is a step that DOD has taken to ensure businesses safeguard the confidential information in an effective manner.
NIST 800-171 is a proposed framework which outlines how your information systems and policies are required to be set up to protect Controlled Unclassified Information (CUI). Here’s what you can do to ensure compliance with 800-171.
Preliminary Feasibility Assessment
First and foremost, you need to determine whether you and your IT staff are qualified enough to assess your business information systems and policies in an objective manner. Secondly, if that’s the case, the next question you need to answer is whether your time, human and financial resources are worth doing it on your own.
If not, you can always outsource your IT DOD compliance to a company which can expedite the process making the transition cheaper and faster.
Where to Begin
If you have decided to take up the IT compliance process manually, all you have to do is follow the below steps:
- Identifying & Categorizing Information Systems
Carry out a thorough assessment and locate the information systems in your business network which hold CUI. This includes local storage such as SharePoint and CIFS files, cloud storage such as Dropbox or OneDrive, and even portable hard disks. Once you have identified every information system, categorize specific files that align with the definitions of CUI and isolate them from unqualified information. This will assist you in demonstrating NIST 800-171 compliance to concerned personnel or authorities in the event of an audit.
- Encrypting Data & Limiting Access
Next, you need to put in place access controls and ensure their implementation. That way only authorized employees can access, see, download and share files containing CUI. Furthermore, assign expiration dates to files and folders that have CUI to restrict access once a particular project or task has been completed.
Encrypt all of your data, whether it is being sent or simply stored. This is a relatively simple way to add an additional layer of security over your CUI, the information systems on which your data is stored, and the protocols responsible for transmitting your data. Encrypted information not only enables compliance, but it also doesn’t become a hindrance for authorized users who need to share files through information systems like FTP, email, and other secure file sharing protocols.
- Training & Monitoring Employees
Regularly conduct a formal mandatory training course for new and existing employees about the basics of information exchange governance along with best practices. Make sure that all of your employees know the security risks related to their day-to-day task management involving CUI. Make them aware of decisions that can put CUI at risk.
Next step is related to monitoring. Put initiatives in place so you are aware who is accessing CUI and for what purpose. NIST 800-171 authorizes businesses to monitor the actions of individual users so they can be traced for accountability purposes, intentional or unintentional.
- Have an Incident Response Plan in Place
An Incident Response Plan simply outlines your reaction protocol in the event of a cyber-attack or insider investigation. This is the step where business usually becomes overconfident only to find out later that the entire process should have been outsourced in the first place. Your Incident Response Plan makes it easy to document and identify issues.
Being NIST 800-171 compliant is mandatory for businesses who are DOD contractors or a sub-contractor to a DOD contractor. You first need to determine if you want to initiate the compliance process in-house and spend your resources or outsource the compliance process to a service provider who specializes in this area.
Bringing small businesses to DOD’s 800-171 compliance requirements does not have to be a headache. Contact Roan Solutions for more information.