Trust can be a precarious thing. One mistake could ruin it forever. You spend so much time and energy building trust with your customers, vendors, contractors, and partners, that the last thing you want to do is lose it, particularly over non-compliance. Believe it or not, record keeping and data handling is critical to maintaining that trust.
With the rapid increase in cybersecurity issues, and heightened awareness surrounding the topic, record keeping and data handling has become a focal point of the National Institute of Standards and Technology (NIST).
This non-regulatory agency created Special Publication 800-171 in an effort to improve the government’s own security when working with non-federal vendors and suppliers. The publication outlines specifically how to manage and protect controlled unclassified information (CUI).
Becoming compliant with NIST 800-171 and its 14 key security objectives is crucial - and the thousands of manufacturers in Connecticut must take notice as the deadline for compliance was December 31, 2017. The work it takes to become compliant can take several months to achieve. The sooner you focus on and begin NIST 800-171 implementation, the better.
Why does NIST 800-171 have such an impact on businesses in Connecticut and how can these companies address its requirements?
Want to determine if your business must comply with NIST 800-171? Take our quiz to find out now.
How NIST 800-171 Affects CT and its Manufacturers
Prior to the enactment of NIST 800-171, there was no universal law governing the protection of controlled unclassified information (CUI). Government contractors operated under their own security protocols. But without stricter guidance, government CUI was at great risk of loss or theft
Now, government partners that come into possession or contact with CUI must comply with the standards set forth in NIST 800-171. These tend to be non-federal organizations that work with government agencies.
One of the major sectors this publication affects is the manufacturing industry. Since it is home to 5,000 manufacturers who employ nearly 160,000 employees, Connecticut has a major stake in implementing NIST 800-171. According to CONNSTEP, Connecticut manufacturers produce nearly 13% of the state’s GDP, and many of these businesses rely on government contracts.
Entities that have contractual relationships with state agencies are now required to comply with NIST 800-171. Subcontractors that don’t work directly with state agencies must comply because they do so indirectly. Failure to implement these requirements could result in the loss of work and potentially a severance of contracts with these state departments.
One of the verticals most impacted by NIST 800-171 is also one of the larger drivers of economic prosperity in the state. 100-plus aerospace companies operate in Connecticut, many of which work very closely with the federal government. Connecticut has a great foundation for aerospace and manufacturing companies, and the state has maintained a focus on continuing to grow its manufacturing.
But the continued success of aerospace in Connecticut, as well as all other manufacturers in the state, depends on these businesses’ abilities to protect government CUI within the guidelines of NIST 800-171.
Implementing NIST 800-171 and the Most Common Issue
Compliance with NIST 800-171 can involve a thorough audit of company networks, systems, and processes. These efforts will help your business to be sufficiently secured, and that potential security issues can be properly addressed.
The reality of compliance implementation is that it’s almost never as quick as you’d like. The level of thoroughness cannot be understated. It may take several months to conduct an in-depth gap analysis as well as remediate any areas where non-compliance exists. The extent of the analysis will depend the size of the implementation and your business’ requirements. This diligence will help safeguard your business from the repercussions of noncompliance.
In addition to addressing the 14 control families within NIST 800-171, you must also be able to produce proper documentation. Even if you’re up to standards, failure to produce proper evidence and documentation of your entire NIST 800-171 compliance process could result in lost revenue, or worse. You’ll also need proper documentation if you need to settle any disputes.
However, documentation is often a weakness for organizations.
Some in-house cybersecurity professionals simply do not have the time necessary for auditable security documentation. Requiring a security analyst to write acceptable compliance documentation takes them away from tasks that protect your network.
This is why many organizations choose to seek out third-party compliance partners. Especially for inexperienced in-house security teams, working with a partner can help you avoid the potential downfalls of insufficient or nonexistent documentation.
That was the consideration for the University of Notre Dame. In An Introduction to NIST Special Publication 800-171 for Higher Education Institutions, the Higher Education Information Security Council outlined the decision at hand for the South Bend, Indiana university:
“The cost of implementing NIST 800-171 can be prohibitive. For example, Notre Dame maintains a segregated PCI DSS–compliant network for five merchants at a cost of well over $100,000 annually, an environment that is less burdensome to maintain than a NIST 800-171–compliant network. For institutions that may only have a handful of small, regulated research projects, justifying the costs of supporting a fully compliant NIST 800-171 environment may be difficult.”
The University of Notre Dame ultimately elected to hire a third party to minimize their costs, among other reasons, and develop its NIST 800-171 infrastructure based on its partner’s scripts. Working with this partner has not only helped them save money, but it also ensured that they will always stay up to date with their compliance needs.
Will You Need to be NIST 800-171 Compliant?
If your business is heavily reliant on government contracts, you’ll likely need to comply with NIST 800-171. But it’s not so obvious for some companies.
If you’re not sure whether your organization needs to become NIST 800-171 compliant, you can take our NIST 800-171 Self-Assessment Quiz to get a better idea if your organization may be impacted.
To take the quiz, simply click the button below.
