Knowing the Difference Between NIST 800-171 and 800-53 is Crucial to DoD Contractors
Time is running out to meet the NIST 800-171 or 800-53 cybersecurity mandate. Do you know which applies to your DoD contracting or subcontracting operation?
Contractors and supply chain businesses have been tasked with meeting heightened cybersecurity mandates by the U.S. Department of Defense. Deadlines for compliance are fast-approaching, and those operations that fail to gain the required cybersecurity health can expect to be left out of profitable government contracts. Despite the urgency surrounding compliance, a considerable amount of confusion exists regarding two specific standards, commonly known as NIST 800-171 and 800-53.
If you are a decision-maker at a DoD contractor or supply chain company, time is of the essence to know which standard you are expected to meet in the coming months. We suggest that you review any current agreements and the compliance necessary to bid on future work. The following effort to simplify the differences between NIST compliance for 800-171 and 800-53 may provide valuable insight.
What Decision-Makers Need to Know About NIST SP 800-53
The National Institute of Standards and Technology (NIST) SP 800-53 is not a new security standard by any means. The federal government is now operating under Security and Privacy Controls for Federal Information Systems and Organizations publication Revision 4. The publication ranks among the most comprehensive cybersecurity guides regarding the regulation of data housed on servers in the DoD supply chain. If you are an outfit that directly connects to federal servers, networks, or other systems, it’s entirely likely the 800-53 standard applies to your business.
Given the vast amount of work the federal government conducts with private corporations, it’s not uncommon for NIST SP 800-53 compliance to be included in your contract. Subcontractors must also comply with the primary contract and should see the cybersecurity mandate listed as well. Unfortunately, the complexity of some agreements and legal jargon used in various clauses has resulted in missteps, and too many operations are not in compliance. That all ends in the coming months.
If you plan to work directly with a federal information system, the controls that organizations are expected to get certification for are listed in the 800-53 document. The volume is a staggering 462 pages long. Meeting the requirements in your respective contract or those you wish to bid on in 2020 requires enhanced cyber hygiene and certified proof. To say this could be a Herculean effort would be something of an understatement. It’s advisable to secure a prompt cybersecurity assessment if you are interested in working with a federal network.
What Decision-Makers Need to Know About NIST SP 800-171
The significant difference between NIST 800-53 and 800-171 is that the latter relates to non-federal networks. Simply put, if you run support or “supply chain” operation, the Defense Federal Acquisition Regulation Supplement (DFARS) made specific cybersecurity protocols a requirement as far back as 2015. That may come as a surprise in the current climate because they were only loosely enforced in many cases, until now. Going forward, controlled unclassified information (CUI) will be under strict scrutiny, and private businesses that house such data will either gain certification or be left out of the DoD loop. It’s crucial to understand that you do not need to be linked to a federal system to fall under the 800-171 mandate.
How To Gain NIST Compliance Under the 800-171 or 800-53 Mandate
The first step in gaining compliance is to have an expert read the clauses in your DoD contract and identify which designation you must meet. Have an independent cybersecurity consultant come in and conduct a full review of your systems and cybersecurity health. That evaluation will show you where your systems and protocols measure up and where they do not. It’s crucial to move quickly if you are uncertain because the federal government expects a third-party audit to be performed to get an impartial certification. Going forward, your organization will need proof positive to continue working with the federal government or bid on future contracts.