Which Of My Systems Need To Be Covered?
You are a private organization that provides services to the federal government. This lucrative relationship means that you are subject to oversight and regulations that you would otherwise avoid in traditional business transactions. These services, by default, involve controlled unclassified information (CUI) and classified defense information (CDI). How can you know if your systems are in compliance with these regulatory requirements?
Avoid Losing Federal Contracts: Protecting Information Systems To Remain Compliant
When your information systems process, store, or transmit information while working with the federal government, private organizations are required to comply with federally mandated security protections.
Federally awarded contracts require full compliance with these security regulations or contracts will be cancelled.
Where CDI is concerned, the federal government takes security seriously – unsurprising given this is the same entity that oversees national security. The good news for private organizations that are government contractors is there is a resource available that both outlines these regulations and details how information systems can be compliant. The National Institute of Standards and Technology (NIST) helps government contractors navigate the complexities of remaining compliant – and what information systems are involved.
NIST outlines basic security requirements in publications, specific to the topic at hand; NIST Special Publication (800-171), “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”, covers security standards and controls to provide guidance for the safeguard of CUI and CDI who have processes involving this information as part of routine operations. Government contractors commonly experience challenges in determining which systems process CDI, and which systems are not in compliance for this reason.
The Nuts and Bolts of Compliance
The most straight-forward way to determine if your information systems need to be compliant is to understand the most basic level of information that is stored, processed, or transmitted by the system. Controlled unclassified information is anything that should be protected from being made public but is not sensitive enough to require a high degree of security clearance. This includes any of the following categories of information.
Personally Identifiable Information (PII)
Any information that includes personal information that can identify a person, or can be used to steal a person’s identity is protected by NIST 800-171 compliance requirements. This includes legal documents, information about financial transactions or that includes payment details like credit card numbers, health or medical records, and names and contact information are all examples of personal information that should not be made available to the public.
This category is separate from the PII financial information outlined above, and includes more sensitive details associated with businesses, like corporate financial records, tax documents and information, human resources benefits, and payroll records. While the PII category can include personnel details as it relates to individuals, some of that specific information can be included here, depending on the nature of the information. Regardless, these details need to be protected under NIST 800-171 compliance requirements.
Proprietary Corporate Information
Information in this category that is divulged to the public could negatively impact a business, and it’s for this reason it needs to be protected – especially when the information involves the federal government. This also includes vendor and partnership agreements, contracts, sales and acquisition documents, logistics and procurement documents, and – growing more important in recent years – safety planning and contingencies. Better yet, take steps to ensure NIST 800-171 requirements compliance and prevent this information being divulged to the public.
Protected intellectual property includes information like building plans and blueprints, architectural designs, engineering reports, research and development (R&D) details. Building plans, blueprints, and architectural designs also speak to a safety issue, in regards to the physical security of a geographical location.
Arguably just as – or more – important than the other categories of information, any details regarding the IT security controls and processes in place to protect data should be safeguarded. Cyber security measures to protect against threats offer critical protections for a business, but the plans and details about these security efforts are just as important as the measures themselves.
Another important element to keep in mind is that these requirements apply not only to data storage, but also to peripheral hardware like routers, switches, desktop and laptop computers, tablets and other mobile devices like smartphones. In fact, NIST 800-171 recommends controlled and restricted use of mobile devices when any of the above categories of information are involved.
NIST 800-171 generally outlines the rules with which businesses working with the federal government will need to comply in order to obtain new or retain existing federal contracts. Since the bidding process includes investigation for compliance and remediation where necessary, review and documentation of compliance are important steps. Rather than risk relationships and profitability, most contractors partner with compliance consultants that can guide contractors through the process to ensure compliance and prevent expensive missteps.
Have You Budgeted Enough For Compliance?
A contract with the federal government can be a lucrative opportunity, especially for smaller private businesses, but if you’re facing a fixed budget with small margins, it’s in your best interest to perform a full review of your existing infrastructure to ensure you’re fully equipped and positioned to maximize profitability.
Most of the time, information that can fit into any of these categories doesn’t need to be classified as sensitive enough to require a high level of security clearance, but that doesn’t mean it should be publicly visible or accessible by the public. What this means, as NIST 800-171 states, is that contractors need to make a complete review of all information systems where this information is stored, processed, or transmitted and review security measures in place to protect this information for each type of instance.
Review of Infrastructure
Your infrastructure is critical to your operations, and is what your teams rely on for every aspect of each of their respective roles. Sales, accounting, human resources, IT, customer service, and administration – and more – depend on technology, whether these teams are comprised of hundreds of staff or just a handful of individuals fulfilling more than one function.
Information systems infrastructure will include these:
- Computer hardware, like desktop and laptop computers, servers, and peripherals like speakers, and external hard drives.
- Computer software and applications, like operating systems, productivity apps like Microsoft Office 365 for word processing and email communications, and the software on which departments rely for their processes, like payroll software
- A network, which is the invisible communication system that links all hardware and software together within one organization so that each component can communicate with each other and share information and files as needed.
Review of Cost and Manpower
With the outline of the information that needs safeguarding as required by NIST 800-171, and a detailed review of your existing information systems, you can determine the internal costs to maintain and support your technology by asking some important questions:
- How often will your hardware need upgrading?
- How will you ensure installation of security patch updates for your software?
- How will you guarantee 24/7 protection of your network?
These are just a few of the critical issues you’ll need to address regarding NIST 800-171 compliance.
Will Your Budget Allow Compliance?
This question is two-fold:
- Are NIST 800-171 compliance requirements within your budget?
- Will your budget allow for the ongoing technology maintenance and support you’ll need to remain compliant?
There are many technology firms that offer compliance consulting services, complete with a technology audit to determine weaknesses and vulnerabilities that need to be addressed to meet compliance requirements. Securing the services of a compliance consultant removes the confusion and questions from the process, ensuring a better outcome than simply trying to navigate the murky waters of security requirements compliance.
Budget-Friendly Compliance Options
Private organizations that contract with the government and are subject to NIST 800-171 regulations have an alternative that will both ensure compliance and avoid struggling with a tight budget and low profit margins.
In the case of a lowest price technically acceptable (LPTA) contract, where the government chooses a contract bidder based on the lowest price for which it can reasonably expect to receive services at the best value, profit margins are extremely low and cost is a major consideration for the contractor. Thus, the contractor faces added pressure when considering the budget and compliance issues expressed here.
Partnering with a technology firm that offers NIST 800-171 compliance consulting and is a managed IT services provider (MSP) holds the most promise. An MSP performs ongoing support and maintenance for IT systems for a low monthly fee, as opposed to staffing an IT department with enough individuals to get the same level of attention and service. MSPs typically offer cyber security protection services, as well, ensuring you are protected from the triple threat:
- IT Security
Considering your budget and your contract, doesn’t it make sense to partner with a technology firm that protects your information systems from every angle?
Do You Understand The Requirements But Struggle to Comply?
You’ve been awarded a contract to provide services to the federal government – now what? For many private businesses, this is the culmination of months, possibly years, of effort. While the opportunity has the potential to be a profitable relationship, the contract comes with complex requirements with which you must comply. Here’s the best way to navigate the layers of complexity.
Partnering To Remain Compliant
While NIST 800-171 covers what CUI should be protected, there are additional factors contractors need to consider to remain compliant, including technology and, more specifically, where there may be vulnerabilities.
A thorough review of IT systems where information may be stored, processed, and transmitted will include IT components such as:
- Computer hardware, including desktop and laptop computers, servers, and external hard drives.
- Computer software, including productivity applications like Microsoft Office 365, and computer operating systems, as well as software platforms that teams use to share files and information.
- Corporate network and infrastructure.
- Computer peripherals like speakers, USB web cameras, and headphones.
- Security measures in place, like antivirus programs, and also firewalls and protections to safeguard systems and data from external threats and breaches.
Perhaps what contractors find most confusing is that while NIST is the oversight body that releases publications for regulatory compliance, NIST does not itself issue certifications for compliance, and instead guides contractors to a self-attestation process. To be clear, the contract bid process can include phases where documentation is requested to show steps taken to become NIST 800-171 compliant, which encourages contractors to also retain complete documentation of compliance measures – all of which places the responsibility solely on the shoulders of the private organization awarded the government contract.
Which is more confusing?
- Navigating the complex guidelines to which a business must adhere
- Discovering the process by which you become compliant
- How a contractor needs to document compliance efforts
The answer is, all of the above.
Once private businesses have taken the steps to research the requirements and understand the details of how to become compliant, taking the first step into action poses an even greater challenge, followed quickly by the realization that you don’t have the time or resources to dedicate. Compliance processes can seem overwhelming – but not to compliance consultants, who live and breathe compliance and can simplify the process into easily digestible steps while working with contractors to ensure you meet compliance requirements.
Partnering with a compliance consultant is the smartest first step you can take. Compliance consultants are an excellent resource for businesses contracting with the government to make sure information systems are fully compliant with federal requirements, whether just entering the contracting realm or amid ongoing contracting relationships. Compliance consultants review existing technology, identify areas that need overhaul, develop formal plans to become compliant, outline policies to maintain ongoing compliance, saving you time and money.
Did you know that not being compliant can cost you more than just a fine?
Contracts can be cancelled if compliance is jeopardized. Don’t chance forfeited revenue for the sake of the cost of a compliance consultant. Partnering with a compliance consultant will achieve compliance more quickly, proving their value from day one and giving contractors the time to focus on your core business processes.
“Why did we wait to partner with a compliance consultant?”
Don’t be the contractor who kicks themselves for wasting time and money scrambling to get up to speed on NIST 800-171 compliance while your competitors are seizing the moment and are prepared in far less time. Especially in cases where margins are low and budgets are tight, like with a lowest price technically acceptable (LPTA) contract, you don’t have time to lose or resources to waste.
The 14 Families Of Security Requirements
Meeting the security requirements outlined in NIST 800-171 means compliance with regulations surrounding 14 control families. Addressing each of these in a security policy is only possible once you understand what each control family encompasses.
Does Your Security Policy Cover The Security Requirements For Compliance?
Specific security requirements are outlined in 14 control areas, further broken down by category and processes for how to handle different areas of security.
1. Access Control
This area monitors access to the IT environment where the types of information are stored, processed, or transmitted, controlling access to systems and data. This includes:
- Control the flow of CUI as it relates to the contractor’s organization
- Control and restrict access by mobile devices
- Encryption CUI when accessed by mobile devices
- Monitor and control remote access
2. Awareness and Training
Ensure all of the contractor’s team members are advised of the security risks, aware of their actions and activities as it pertains to the affected information and are familiar with the security policies outlined as regulations require through proper and ongoing training.
3. Audit and Accountability
NIST 800-171 requires solid record-keeping skills to meet the audit and accountability standards outlined by NIST, including logging unauthorized activities and respond immediately:
- Review logged events routinely
- Report gaps and failures in the process
4. Configuration Management
This control focuses on establishing and maintaining a baseline of configurations for controlling and monitoring user-installed software, and also changes made to contractor’s systems, including:
- Restrict access to defined areas as outlined in Access Controls, and amend configurations based on activity found due to changes to IT systems
- Blacklisting unauthorized software
- Restricting or disabling the use of programs that are not essential on contractor systems
5. Identification and Authentication
Contractors are required to prevent unauthorized access to critical information systems to prevent threats and reduce risks. To prevent unauthorized access, verify access using a few best practices:
- Use multi-factor authentication to verify the identity of users accessing information
- Disable inactive users after a defined period
- Establish a strong password policy, with requirements for password length, uppercase and lowercase letters, numbers, and special characters
6. Incident Response
Incident Response has its own control group because of the levity of the need. Incidents that have the potential to cause a data breach where CUI is concerned or result in lack of productivity or system downtime prompt response, and one that is immediate. While it’s the goal to never need one, an Incident Response Plan must be established, and reviewed and updated regularly.
Ineffective information system maintenance can result in costly downtime or the disclosure of CUI, a threat to the confidentiality of CUI. Routine maintenance is required to remain NIST 800-171 compliant, with guidelines to keep in mind:
- Ensure maintenance staff are effectively trained and performing to meet requirements
- Confirm that any removed hardware or equipment does not contain CUI
8. Media Protection
Review and guarantee the security of media that contain CUI, whether physical or digital media, with safeguards in place including controlled and limited access to media. Additionally, review media prior to discard, and prohibit the use of portable storage devices, like USB memory drives, unless the property of the contractor.
9. Physical Protection
Contractors must provide sufficient protection to any hardware, software, and networks that store, process, or transmit CUI from physical damage.
10. Personnel Security
Monitor user activity so that information systems that store, process, or transmit CUI is protected in cases of data transfers between personnel, or staff terminations.
11. Risk Assessment
IT environment risk assessments are routine in any organization, but where CUI is concerned, NIST 800-171 requires contractors to evaluate potential risks as part of a larger-scale effort to safeguard CUI. These Risk Assessments include scans for vulnerabilities and remediations.
12. Security Assessment
Contractors must monitor the IT environment and security controls in place to verify the effectiveness and modify and improve where necessary. Additionally, this control group requires detailed documentation for information system relationships and procedures for security processes and contingency plans.
13. System and Communications Protection
As the name of this control group implies, this set of security requirements addresses information that is transmitted or received within the information system, including protections to prevent unauthorized transfer of CUI, deny unauthorized network communications traffic, and monitor the use of VoIP technologies to prevent CUI disclosure.
14. System and Information Integrity
You are required to quickly identify and correct information system flaws and protect assets from malice, such as cyber-attacks or viruses.
Contractors must be aware and address all of these control groups of security requirements in security policies. If contractors are new to NIST 800-171 or need assistance developing a security policy, partnering with a compliance consultant can help you create and maintain a security policy that will meet the requirements outlined to meet regulatory compliance.
Are Your Subcontractors in Compliance?
Don’t Let Your Subcontractors Jeopardize Your Government Contract
While the federal government is the single largest employer in the United States, it’s still impossible to maintain the level of qualified staff to carry out every task, nor does the government have the capacity for oversight of all operational tasks. For decades, the solution has been to contract tasks and projects out to private organizations, external contractors to supply the government with additional labor to perform an immense volume of operations.
Governmental departments work with dozens of contractors, such as the Department of Defense (DoD)who contracts out for mission-critical projects that relate to national security. In fact, there are now several organizations in the private sector whose primary purpose is to fulfill contracts awarded by the government. Adding another layer of complexity to this arrangement is that contractors can sub-contract out parts of the project.
Subcontracting is a way to fulfill contracts with maximum efficiency and in the most cost-effective manner, with the focus of getting the most qualified hands on the job. While this process may seem like it complicates the job at hand, the federal government not only realizes how common the practice is but recognizes it’s a great way to reduce costs and boost productivity. The challenge in contracting – and subcontracting – is that control of the tasks is given up entirely, but there are safeguards in place for information and to make sure sensitive datais protected. NIST itself a governmental body under the U.S. Department of Commerce, outlines security measures for all organizations that bid on government contracts through a series of publications categorized by industry.
NIST cover many areas of safeguards, including the most basic of technology requirements, while declaring that a critical function is to anticipate the future. Technology exists to simplify and improve our lives, but without regulation, oversight, and compliance, the DoD is aware that uncontrolled technology can put American lives in peril and potentially expose sensitive information. It’s because of this that the DoD has added its own basic set of security controls, the Defense Federal Acquisition Regulation Supplement (DFARS).
NIST 800-171 details the safety measures contractors are required to take in order to protect controlled unclassified information (CUI), outlining more than a dozen basic areas of security for CUI and giving contractors a baseline to follow. These security control families don’t discriminate: contractors and subcontractors alike are expected to meet compliance requirements for areas including:
- Access control
- Awareness and training
- Identification and authentication
- Incident response
- Risk assessment
- Physical protection
DFARS adds further layers of protection, safeguarding covered defense information (CDI), including:
- DoD-defined controlled technical information
- Military operations security information
- Export-controlled information, such as nuclear or biochemical information
- Anything else specified within the contract
What does all of this mean for me?
Basically, while contractors might have absolute confidence in their NIST 800-171 compliance, the question is if your subcontractor meets compliance requirements. Contracting with the government comes with the responsibility for the burden of proof of compliance, but subcontracting part of a project, or an entire project, doubles that burden since the original contractor:
- Is the contract holder with the federal government
- Has entered into an arrangement with an external party who must meet the same compliance requirements and the original contract holder
Contractors do not gain certification from the government based on NIST 800-171 compliance and must self-attest that compliance requirements are met. The bidding process includes investigation for compliance and remediation where necessary, but does not take into account subcontracting arrangements. Navigating NIST 800-171 and DFARS regulations and compliance is a complex and challenging – but necessary – step in the process, otherwise contractors risk losing the contract and face potential fines. Partnering with a compliance consultant who can guide you through the process minimizes ramp-up time ensures full compliance through working with a knowledgeable team that understands the layers of requirements, preventing costly mistakes.
NIST and DFARS requirements are in place so contractors don’t take unnecessary risks where national security is concerned. Detailed processes and protocols outlined for contractors focus on technology and security so contractors can maintain these lucrative relationships and be awarded future contracts to continue to provide services to the federal government.
Contact KTG at (615) 600-4411 or using our Contact Us form today to find out more about a NIST 800-171 Compliance Assessment and to see how you can benefit.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.