If you are a government sub-contractor and not NIST 800-171 compliant by the end of 2017, you are at risk of losing your federal business.

In 2015, the federal government issued the NIST 800-171 set of required standards. They require all entities who do business as subcontractors on any federal project to be fully compliant by the end of 2017 or lose their right to participate on those contracts. Sub-contractors are required to provide evidence to the government verifying that your firm is in compliance. Most challenging to smaller organizations is the requirement to monitor and detect intrusions along with having a detailed plan as to how to remedy a breach.

As with all government mandated compliance, interpreting and implementing the required changes is not a simple matter. In the case of NIST 800-171, there are 14 families of security requirements necessary for you to meet the required standard. They are:

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Physical Protection
10. Personnel Security
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

Each of these has multiple subsets of requirements adding up to 110 total controls. I suggest you download and read NIST 800-171. If your IT and security department happens to be overstaffed and has extensive experience working with vague compliance requirements, read no further, you will likely have this under control. However, if you are like most organizations and this is NOT the case, (and I have never seen an IT department that was overstaffed), you will likely need the assistance of an external third party.

The serious news is the fact that you are running out of time very rapidly. Now the good news is that Sattrix USA is standing by to help. If you understand the gravity of the situation and do not have plans in place or are actively working on compliance. We will schedule a no obligation, no cost scoping session to let you know where you stand. We are ready to assist!

To respond to this blog or for your comments/questions on it, please Click here.