Senior Consultant, Information Security Services
United StatesContact Robert
Until CMMC 2.0 and NIST 800-171 r.3 are released, which will probably be in late 2024, the best action item for a defense contractor right now is to make sure it is NIST 800-171 r.2 compliant. That may sound easy enough, but what exactly does that entail? How do you become NIST 800-171 compliant?
There are two ways to answer the compliance question. The easy answer is to complete a NIST 800-171 risk assessment, document the gap analysis, and then remediate any issues that revealed themselves in the audit process.
The more complicated answer involves going into more detail about the NIST 800-171 controls, the NIST 800-171 assessment procedure, and what might be involved in remediating any of the gaps you come upon.
As you contemplate NIST 800-171 compliance, it is important to know there are 110 controls in the standard. These are divided into fourteen families:
You might be thinking some of these are similar to ISO 27001, and you would be correct about that. There are several parallels between the standards in terms of approach and structure. However, ISO 27001 focuses on information management while NIST 800-171 is focused on the protection of Controlled Unclassified Information (CUI).
Assessing where your company is in regard to NIST 800-171 controls can be a heavy lift timewise. This is why it is beneficial to partner with a third-party auditor like Smithers Information Security Services. NIST makes available a spreadsheet outlining assessment procedures, and what it reveals is that no two companies are likely going to have the same compliance experience. For example, your assessment may reveal that your company needs to significantly increase employee training in CUI protection and proper handling. Another company, however, may need to address physical security and access concerns that could require an overhaul of how employees work. Some companies may find that becoming NIST 800-171 compliant will require large investments while others may already have a solid infrastructure in place that will not necessitate those expenses.
In short, the only single answer to the question of how to become NIST 800-171 compliant is to complete an assessment and then fill the gaps.
Although each of these standards covers different niches, a company can get a good start on the NIST 800-171 journey if they are ISO certified.
The ISO 9001 is an overarching quality management system standard. Among other benefits, this certification will help ensure the company’s management is fully engaged, which is necessary for NIST 800-171 compliance.
ISO 27001 builds in ISO 9001 with the information security management systems structure (ISMS). As was mentioned previously, information security should not be confused with CUI, but earning an ISO 27001 certification will cover a lot of controls under the NIST 800-171 umbrella.
If you have any questions about your organization's current ability to comply with NIST 800-171, schedule a meeting today to talk to one of our cybersecurity experts.