Complying with NIST 800-171 and DOD 858201p

If you own or manage a small business that is part of the DOD supply chain, then you should be well on your way to completing the 130+ item compliance checklist as set out in NIST 800-171.  Compliance needs to be in place by the end of 2017, only a few months away.  Because I am working with a few clients that this requirement applies to, I do know that there are many suppliers that are not anywhere close, and a few who have yet to start.

NIST 800-171 deals with “Protecting Controlled Unclassified Information in Non-Federal Information
Systems and Organizations.”  Quite a mouthful.  Basically, the focus of the compliance requirements are to ensure that the computer systems and networks of DOD supplier companies have a minimum set of security controls in place, to help prevent an attacker from infiltrating these networks and making off with sensitive information.

Back in October, the Naked Security blog ran a story that perfectly illustrates why the DOD is requiring some very small suppliers to meet this complex and fairly expensive to implement set of standards.   The gist of the story is that a small 50-person “mom and pop” engineering firm in Australia was breached.  The attackers “had been inside the company’s network at least since the previous July, had full and unfettered access for several months, and exfiltrated about 30GB of data including, restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.”

This is part of the reason items are more expensive when provided to the military than they are at Walmart.  But the information that needs to be protected is irreplaceable, and cannot be retrieved once it is lost.  There are simple steps any business can take to minimize the damage from a cyber intrusion:

  • Use the principle of least privilege.  Users should only have the rights they need to perform their work.  Restrict administrative rights to actual admins.
  • Apply operating system updates quickly.
  • Apply updates for software applications, including  Flash and Adobe Reader.
  • Keep your web browsers updated to the latest version.
  • Only allow computers and users to run approved software packages.

More information

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment