Complying with NIST 800-171 and DOD 858201p

If you own or manage a small business that is part of the DOD supply chain, then you should be well on your way to completing the 130+ item compliance checklist as set out in NIST 800-171.  Compliance needs to be in place by the end of 2017, only a few months away.  Because I am working with a few clients that this requirement applies to, I do know that there are many suppliers that are not anywhere close, and a few who have yet to start.

NIST 800-171 deals with “Protecting Controlled Unclassified Information in Non-Federal Information
Systems and Organizations.”  Quite a mouthful.  Basically, the focus of the compliance requirements are to ensure that the computer systems and networks of DOD supplier companies have a minimum set of security controls in place, to help prevent an attacker from infiltrating these networks and making off with sensitive information.

Back in October, the Naked Security blog ran a story that perfectly illustrates why the DOD is requiring some very small suppliers to meet this complex and fairly expensive to implement set of standards.   The gist of the story is that a small 50-person “mom and pop” engineering firm in Australia was breached.  The attackers “had been inside the company’s network at least since the previous July, had full and unfettered access for several months, and exfiltrated about 30GB of data including, restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.”

This is part of the reason items are more expensive when provided to the military than they are at Walmart.  But the information that needs to be protected is irreplaceable, and cannot be retrieved once it is lost.  There are simple steps any business can take to minimize the damage from a cyber intrusion:

  • Use the principle of least privilege.  Users should only have the rights they need to perform their work.  Restrict administrative rights to actual admins.
  • Apply operating system updates quickly.
  • Apply updates for software applications, including  Flash and Adobe Reader.
  • Keep your web browsers updated to the latest version.
  • Only allow computers and users to run approved software packages.

More information


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.