How Can Small Defense Contractors Keep Up With NIST Compliance?
Kraft Technology Group helps small defense contractors with NIST compliance. Our compliance experts will help you understand NIST, CUI, CDI, and CMMC.
Should Small Defense Contractors Be Concerned About NIST Compliance?
A small defense contractor needed to meet NIST compliance and reached out to Kraft Technology Group for assistance. Like most, they provide technical services for different Department of Defense military clients.
Sometimes the requests are how to create a system security plan (SSP) for their NIST compliance. Other times they are concerned about the storage or platforms they use or other areas from the NIST 800-171 Risk Assessment Checklist.
Unfortunately, there are many beliefs and assumptions about NIST compliance we hear from our clients. When we consult with each contractor, we guide them through the compliance process. Quite often, there are numerous mistakes small defense contractors make.
What Are Some Common NIST Mistakes We Uncovered?
Assuming Your Organization Does Not Have CUI
Controlled Unclassified Information is everywhere – contract language, documentation, technical drawings, etc. The CUI categories are broad and far-reaching, ensuring you’re 100% clear on what CUI exists in your organization.
Not Understanding the Various Requirements
NIST 800-171, designed to defend, detect, and respond to attacks in your IT Environment. DFARS 7012 builds upon NIST by requiring all cloud providers to be FedRAMP Moderate as well as additional controls (clauses (c) through (g)). These are not the same as DFARS.
Assuming Deadline Leniency Will Be Granted
Many small defense contractors make that mistake because NIST is so complicated. Unfortunately, every defense contractor or subcontractor must be compliant at all times. Never assume that you’ll be granted a grace period or leniency.
Rushed Technology Implementations
Some NIST controls are reached with technology others require the right processes or policies – further still, some commands will involve both. If you haven’t rigorously evaluated your business processes, you could be wasting time and money on unnecessary technology implementations and still not becoming genuinely compliant.
Failing To Designate Specific Responsibilities
Don’t make the mistake of assuming a given security responsibility will get handled just because your team knows about it. The foolproof way to make sure something gets done is to assign it, by name, to a specific person. It removes the assumptions, guesswork, and other risks that you can’t afford when it comes to NIST.
Documentation That Lacks Crucial Details
That is one of the most common mistakes made when it comes to NIST compliance. The fact is that a detailed Plan of Action and Milestones and a System Security Plan are all fundamental parts of NIST Compliance. One cannot cut corners when developing documentation.
Overlooking The DFARS Clause Flow, Down The Supply Chain
Remember that all vendors in the supply chain are considered a vulnerability when it comes to the Defense Industrial Base. That means the DFARS clause applies down the supply chain to each. Be sure to double-check that your subcontractors are adequately secure to avoid risk.
Delaying The Incident Response Plan
It’s easy to hope that you won’t get hit by an incident that requires a planned response – but the fact is that you never know. When you have as much at stake as you do in NIST compliance, it’s better to be safe than sorry. If DFARS is part of your compliance requirements, you must notify the government immediately of a breach.
Overlooking The Cloud
Remember that your email, software-as-a-service implementations, or cloud-based data are all still within the boundary if they store, process, or transmit sensitive data. You must make sure all of your cloud service providers are FedRAMP-authorized and in line with NIST.
Ignoring How and Where Data Is Stored
As with the cloud, you have to make sure you know where data is stored, where it is accessed from, and who has access to it. Every part of this chain could trigger legal obligations. Take inventory of your servers, data centers, vendors, and staff members based on their permissions and access levels.
Are You Concerned About Your NIST Compliance?
If you are a small defense contractor, are you concerned about you’re NIST compliance? If so, Kraft Technology Group is here to help you. We are open for consultations 24/7.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.