Heather Engel, Chief Strategy Officer at Sera-Brynn - These regulations cast a wide net and impact manufacturers, research organizations, colleges and universities, and cloud services; and the scope is expected to grow in 2018 as the government regulations expand.
VIERA, Fla. (PRWEB) June 07, 2018
NIST 800-171 Compliance is a big problem for US DOD Contractors and Subcontractors. NIST 800-171 Compliance is all about the protection of Controlled Unclassified Information (CUI) resident in non-federal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. The NIST 800-171 regulatory standard is required to safeguard Confidential Unclassified Information or CUI and is flowed down through contracts as DFARS 252.204-7012.
DOD DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting US Government Contracts are now including this clause which requires the contractor to implement a NIST 800-171 compliance program. The clause requires that subcontract performance will involve covered defense information, including subcontracts for commercial items and that NIST 800-171 Compliance is mandatory.
The solution CVG Strategy recommends is to use an Information Security Management System or ISMS which is based on the ISO Standard 27001 family. When it comes to getting an ISMS certification, ISO 27001 is the “must have” solution. It is a globally recognized certification as it reassures customers, partners and clients that the security of the information a business holds is managed in a structured and secure way.
But not everyone who handles CUI Data is certified to ISO 27001; all we can ask is ‘why not’?
There is no denying that the word “certification” can strike fear within an organization, but this fear is often borne from misconceptions and misunderstandings of the certification process.
Companies who are required to be compliant to this clause have only one choice: Implement an ISMS using the ISO 27001 Standard and get certified.
Four Key Benefits of ISO 27001 Implementation for a robust NIST 800-171 Compliance Program:
It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.
2. Marketing edge
In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.
3. Lowering the expenses
Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees. The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.
4. Putting your business in order
This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.
CVG Strategy's Cyber Security Experts are certified Lead Auditors for ISO 27001 and are ready to help companies either implement their own ISMS (Information Security Management System) or to use CVG Strategy's own ISMS as a second site subscription based solution. Contact us for more information for NIST 800-171 Compliance help.