THE NIST Compliance for small Business
NIST 800-171 was established after FISM (Federal Information Security Management Act) was passed in 2003.It is a unit of US Commerce Department. NIST is represented as (National Institute of Standards and Technology). The National Institute of Standards and Technology (NIST) created Special Publication 800-171 to help protect Controlled Unclassified Information (CUI).Its goal w
as to protect the Legal information of Business man, citizens, and government. It also provides Services for a small businesses. NIST 800-171 services for small business helps the US Government to attain the confidence of small businessman in US states which lead them towards achieving their goals
Small organizations that are working on military platforms face difficult challenge so Department of Defense (DOD) implemented DFARS clause that requires compliance with cybersecurity standard called NIST 800-171
The standard is focused on a specific set of data referred to as Controlled Unclassified Data (CUI). At high level this data includes design specifications, product material data, and procedures used to engineer, test, and manufacture both land and air based military platforms. It has 110 requirements that includes a mix of technical and process controls focused on protecting CUI. A small business inability to comply with the requirements effectively serves as a barrier to entry for working in the industry. Many proposal solicitation are requiring NIST Compliance for small business with the standards as a qualifier for bidding on a project.
No-Nonsense Approach
So, where do we begin for NIST small business meeting NIST Compliance for small business requirements can be difficult that there are some few simple steps that can simplify the process.
- Minimize the “footprint” of CUI data. In other words try to keep physical and virtual version in common storage areas.
- Don’t use email to exchange CUI data with partner, vendors or customers. Utilize secure data exchange frameworks that are available from most tier 1 vendors.
- Leverage commercially available templates for process content (policies, incident response plan, awareness training, system security plan).
- Have a third party help you with areas of the NIST standards that require clarification. Most consulting firms are open to answering some questions without charging for a full engagement. Be honest and tell them that you don’t need help but had few questions you were hoping they could answer.
Immediate Action items
Near term, the most important details to complete are the system security plan (SSP) and plan action (POA). The SSP defines scope the approach for compliance with the POA provides a timeline for addressing identified gaps. Online resources like the CSET self-assessment tool can help with identifying compliance gaps and developing the remediation plan. There are also online templates available for the SSP and POA, which can speed up the process of developing and completing the documents.
Keep in mind that goal of NIST Compline for small business is to protect information that is largely digital so many for required controls will deal with computer and network technology. If an organizations does not have internal expertise to help sort through the technical details, this part of compliance is where money is best invested with external assistance to identify gaps and develop a plan to address them.
Planned implementation
Once the SSP and POA are completed the balance of NIST compliance for small business is reliant on the following the defined implementation plan. As the project evolves any unforeseen obstacles or delays will necessitate updates to the POA. Stay on the top of the schedule and track progress accordingly. Store all related documentation in common network folder and when the program is fully implemented plan on conducting an annual audit, risk assessment, and security assessment.