DoD Contractor Cyber Security Compliance

NIST 800-171

Cyber Security & NIST 800-171 Compliance

Find out if you are required to meet NIST 800-171 Compliance Standards – Answer these 8 questions:

1) Does your company handle Department of Defense data on non-Government computers?

YES – Your company must have a plan for compliance by 12/31/17.

NO – There are many types of applicable information.  Check the Controlled Unclassified Information Registry to be certain.

2) Does your company plan on doing business with the Department of Defense in the future?

YES – This requirement now appears in all Department of Defense solicitations including references to Safeguarding Covered Defense Information and Cyber Incident Reporting.

NO – Do your customers do business with the Dod?  If so, these requirements might impact you as a subcontractor.

3) Is your company part of a Department of Defense supply chain?

YES – The requirements flow through the entire subcontractor chain and attackers will go after the weakest link, endangering the whole chain.

NO – The requirements flow through the entire subcontractor chain.  Make sure that your customers do not serve the Department of Defense.  You should consider taking steps to protect your business even if you are not required to.

4) Does your company do business in the cloud or outsource IT services?

YES – You are responsible for making sure your service providers are compliant. The controls apply to access control, media control, and workforce training, not just data processing and storage.

NO – You are responsible for protecting covered data at all points.

5) Does your company have the bandwidth for a 6-12-month process involving significant changes to your IT infrastructure and data-handling culture?

YES – Depending on your current setup, it could take up to 12 months to meet all of the compliance requirements. The good news is, there are resources available to help you if you need them.

NO – Depending on your current setup, the process to achieve compliance can take several months. The good news is, there are resources available to help you.

6) Are your suppliers compliant with NIST 800-171?

YES – Are you sure? You are responsible for how your suppliers and subcontractors handle Government data.

NO – Unfortunately, it’s not enough that your company is compliant. You are also responsible for how your suppliers and subcontractors handle Government data.

7) Is your company prepared to report any cyber incident to the Department of Defense within 72 hours?

YES – Do you have a reporting plan in place? Do you have the proper monitoring capability and medium-assurance certificate required to access DBIDS?

NO – Reporting within 72 hours is required.  Trust us…you want to report a breach as soon as possible.  You don’t want to find out what happens when the Government finds out about an unreported incident.

8) Is your company too small to be a target?

YES – WRONG!  Attackers will use the weakest link in the supply chain to get to what they really want. Make sure it isn’t you!

NO – RIGHT! Small businesses are a common target for attackers.  Hackers use the weakest link in the supply chain to get to what they really want.

 

Did you answer yes to any of the questions above?  Read on to find out more about the resources available to help you:

UD/FASTLANE education stuff

NIST links

DoD links

Service providers

Program funding may be available to help you to meet compliance requirements.

Want to learn more?  Contact FASTLANE

  • This field is for validation purposes and should be left unchanged.