Contractors working with the Department of Defense (DoD) and other governmental organisations are required to safeguard private data against evolving cybersecurity risks. This necessitates the implementation of modern cybersecurity solutions as well as the observance of statutory compliance standards.

Contractors want clarification on what constitutes the bare minimum of effective cybersecurity to safeguard government data. This is addressed in the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171. The Department of Defense and many of the Federal Government have adopted NIST SP 800-171 as a uniform set of best practices for contractors to encourage good cyber hygiene and protect sensitive information.

What Exactly Is NIST SP 800-171?

The National Institute of Standards and Technology (NIST), founded in 1901, is a Federal government body under the United States Department of Commerce that has produced hundreds of standards and special publications. Its aim is to “advance American innovation and industrial competitiveness by improving measurement science, standards, and technology in ways that improve economic security and quality of life.”

The list is still increasing. Currently, nist 800-171 checklist is a contractual requirement for non-federal information systems that process, store, transmit, or protect Controlled Unclassified Information (CUI) for the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).NIST SP 800-171 clauses may also exist in other Federal agency contracts.

The government is scheduled to establish a CUI Rule in the Federal Acquisition Regulation (FAR) in late 2021 or early 2022, requiring NIST SP 800-171 for all Federal government contracts including CUI.

Why Does CUI Require Protection?

According to a 2017 New York University research, about nine million individuals work for the federal government, 40% of whom are private contractors in charge of CUI protection. They, like practically every other organisation, are constantly threatened by a data breach. From large data breaches at Marriott in 2018 and Equifax in 2017, to the 2013 Yahoo! hack involving three billion users, the volume and severity of cyberattacks have grown over the last decade. These increases have resulted in an avalanche of noteworthy breaches affecting DoD contractors.

While NIST SP 800-53 governs federal information systems, there were no similar rules for private contractors who assist the DoD and other government agencies until NIST SP 800-171. Cyber attackers were targeting subcontractors and even the tiniest manufacturers and suppliers, aiming to steal information or discover a way into the larger firms’ computer systems. Small and medium-sized businesses (SMBs) are targeted because they often spend less on cybersecurity and data protection.

Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) assist smaller businesses that cannot afford to invest millions of dollars per year in their own teams and infrastructure to leverage Information Technology (IT), Cybersecurity, and Compliance expertise, resources, and economies of scale of larger organizations.