Complying with NIST 800-171 and DOD 858201p

If you own or manage a small business that is part of the DOD supply chain, then you should be well on your way to completing the 130+ item compliance checklist as set out in NIST 800-171.  Compliance needs to be in place by the end of 2017, only a few months away.  Because I am working with a few clients that this requirement applies to, I do know that there are many suppliers that are not anywhere close, and a few who have yet to start.

NIST 800-171 deals with “Protecting Controlled Unclassified Information in Non-Federal Information
Systems and Organizations.”  Quite a mouthful.  Basically, the focus of the compliance requirements are to ensure that the computer systems and networks of DOD supplier companies have a minimum set of security controls in place, to help prevent an attacker from infiltrating these networks and making off with sensitive information.

Back in October, the Naked Security blog ran a story that perfectly illustrates why the DOD is requiring some very small suppliers to meet this complex and fairly expensive to implement set of standards.   The gist of the story is that a small 50-person “mom and pop” engineering firm in Australia was breached.  The attackers “had been inside the company’s network at least since the previous July, had full and unfettered access for several months, and exfiltrated about 30GB of data including, restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.”

This is part of the reason items are more expensive when provided to the military than they are at Walmart.  But the information that needs to be protected is irreplaceable, and cannot be retrieved once it is lost.  There are simple steps any business can take to minimize the damage from a cyber intrusion:

  • Use the principle of least privilege.  Users should only have the rights they need to perform their work.  Restrict administrative rights to actual admins.
  • Apply operating system updates quickly.
  • Apply updates for software applications, including  Flash and Adobe Reader.
  • Keep your web browsers updated to the latest version.
  • Only allow computers and users to run approved software packages.

More information


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.