The National Institute of Standards and Technology (NIST) is known for its NIST Cybersecurity Framework, a set of voluntary best practices aimed at strengthening the protection of our nation’s critical infrastructure. Since NIST first unveiled the framework in 2013, it has been viewed as the standard model for cybersecurity by industries well beyond critical infrastructure.
Now the U.S. Department of Defense (DoD) is raising the bar by mandating all contractors who work on DoD projects comply with the special publication NIST 800-171, a set of cyber security requirements aligned with 14 key security categories. The mandate is aimed to protect controlled unclassified information meaning information that while not classified, is still sensitive such as citizens’ social security numbers, mothers’ maiden names, contact information, addresses and more. If contractors do not implement the requirements, they could lose their DoD contract, which in some cases may equate to a loss of millions of dollars and hundreds of jobs.
The good news for contractors is that the DoD recently extended the compliance deadline. Instead of demonstrating compliance by Jan. 1, contractors must have shown by that date they have a plan to comply. Large contractors should already have many of the required controls in place due to cybersecurity compliance mandates of the past. Smaller contractors, however, may struggle due to a lack of budget, manpower and overall security maturity. Either way, I expect NIST 800-171 to span the federal government in the near term, which is why cyberleaders within all sectors should know what it entails.
Within the 14 categories the mandate includes 110 security controls, some of which focus on access control, awareness and training, identification and authentication, configuration management, risk assessment and system and information integrity. They include action items such as patching critical vulnerabilities within 90 days, encrypting all systems with high-level data sets, conducting risk assessments, managing access to sensitive data, monitoring user behavior and developing an insider threat program. Similar to the NIST Cybersecurity Framework, 800-171 leverages a risk-based approach to security remediation; that means understanding which are the most sensitive applications and systems, where those assets live and move, who accesses them and how they access them, and prioritizing vulnerabilities and threats to those assets based on the risk they pose the organization.
Some prime contractors and many subcontractors already struggle to understand their assets. Sensitive data typically sits in silos across their environments. Some data may have protections around it; others may not. Some data may be tagged correctly; some may not be tagged at all. Users who interact with one sensitive database may be monitored; those who interact with another may not be. Many contractors do not have a way to bring the data together so they can see within minutes, in one view, the status of their cybersecurity and compliance posture. As a result, they rely on manually filling out spreadsheets—a process that may take six months to a year to complete, rendering the data meaningless. If one person fills out a section of a spreadsheet in 2017 but the entire spreadsheet isn’t completed and turned in until 2018, the data is well out of date.
To overcome these challenges, contractors must view their environment through the eyes of risk. They should identify which assets are the most sensitive—those that, if compromised, would impact the mission the most—and prioritize protecting those assets first. They should implement a process or technology to bring the siloed data together in an automated fashion so that everyone sees the same set of data and can understand their compliance and security posture at any point in time. They should apply User and Entity Behavior Analytics (UEBA) to detect and prioritize behaviors that are putting the most sensitive data at risk. They should integrate UEBA with technologies such as data loss prevention and multi-factor authentication that prevent sensitive data from getting into the wrong hands. They should encrypt all sensitive data at rest and in motion.
While these recommendations may scream dollar signs, which can be a burden particularly for smaller contractors that lack budget, there is a way to keep the costs down. Again, it boils down to risk. By investing resources, budget and manpower in only the most sensitive assets—those systems and applications that could damage the mission the most and fall under the NIST mandate—contractors can focus their spending. More importantly, they will reduce risk to the assets that matter most so when there is a compromise, it will cause minimal damage.
So, as they work on complying with NIST 800-171, contractors should ask themselves, “Am I applying patches based on the amount of risk the vulnerability poses to the mission? Am I aware of the riskiest actions my employees are taking that need immediate mitigation? Am I prioritizing threats and vulnerabilities based on impact to the mission if the asset at risk were compromised? Who are consistently my riskiest sub-contractors?” Those are risk-based questions that not only lead to compliance but also better security. And like most NIST frameworks, better security is what 800-171 aims to achieve.