Manufacturing meets Security
In April of 2015, NIST published the first public draft of something called SP800-171 which describes requirements for protecting controlled unclassified information on non-federal information systems and organizations. The government also published regulation (DFARS 252.204-7012) that states that any entity that collects, develops, receives, transmits, uses, or stores defense information in support of a government contract must abide by the guidance in SP800-171 – with a deadline of compliance to happen by December of 2017. That’s right around the corner!
What does all of this mean?
In short, if you are a government defense contractor and you receive controlled unclassified information, you must comply with NIST SP800-171. In some cases, if you are a downstream vendor of a government contractor, you will likely be asked about compliance also.
There are 14 categories outlined in the guidance. Each category has numerous objectives that must be achieved that consist of various processes, procedures and systems that may have to be implemented in order to achieve compliance with this mandate. There have been many articles written on this topic and how to comply, which typically consist of the usual technical controls such as encryption, firewall rules and multi-factor authentication, but much of this information is process related and not technical and is obscure and difficult to read.
The good news is that many organizations are already in compliance with quite a few of the objectives listed above. Most gaps exist where controls need to be strengthened, policies need to be created and where acquisition of additional software/hardware need to be considered. A lot of organizations can handle many of these tasks in-house, but don’t discount the benefit of an external consultant that has experience with this regulation and can provide assistance in closing the gap or providing service/software.
Putting together a game plan for compliance can be a daunting task – especially if you don’t know how to comply with items such as Performing a Risk Assessment or Create a Vulnerability Program. I can help you put together a strategy for understanding where the gaps are and executing the project to close those gaps. Compliance initiatives are something I work with continually across many industries.
Director Microsoft Solution Sales
7yTJ - this is right on. Many mid-sized businesses are starting to fall into compliance buckets (like NIST SP800-171) or the RIA objectives. Others are simply having to fill out Questionnaires or provide attestation of their controls to compete in project bids. Good to know there is someone that can help.