If Your Company Works with the Federal Government, You Should Know This

This is a snippet of an article published on washingtontechnology.org
Jenifer Rees, senior quality/security engineer at Base2 solutions

Jenifer Rees, senior quality/security engineer at Base2 solutions

Customers hire us to help them address their physical IT security infrastructure needs, and in the course of the conversation, we raise the specter of compliance with a Federal Government mandate related to NIST 800-171. In the best case scenario, the client is well informed of the pending deadline and has a plan in place. However, in most situations they are not tuned in to this deadline, and start to get white-knuckled. Unfortunately, because of our work in IT Security and Compliance for regulated industries such as aviation and health care, we see this situation happen much more frequently than we’d like.   

While Washington State hangs its proverbial hat on being the country’s seat of emerging technology, that distinction also comes with a certain set of rules and regulations for companies whose clients include the federal government.

For government contractors, a deadline looms to ensure they are compliant with the National Institute of Standards’ (NIST) guidelines for ensuring sensitive federal information remains confidential when stored in nonfederal information systems and organizations. Basically, a contractor needs to be NIST compliant if it processes, stores, or transmits sensitive federal information to assist federal agencies in carrying out their core missions and business operations.

This requirement means nonfederal information systems and organizations must demonstrate that they have security controls – both physical and procedural – in place to protect Controlled Unclassified Information (CUI) and Controlled Technical Information (CTI), based on guidelines laid out in NIST’s Special Publication 800-171.

Originally, contractors only had until the end of 2016 to demonstrate compliance, but some squeaky wheels within the industry said, “too fast,” so the Pentagon pumped the breaks and extended the deadline to Dec. 31, 2017 (though for contracts awarded at, or after, the deadline, compliance is required within 90-days). And while the original catalog of NIST security controls was an unwieldy 462-page behemoth, the new document is a sleek and streamlined 77-pages.

This all foots back to the Cybersecurity Enhancement Act of 2014, passed by Congress, “to provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes.” The act provides a call to action for NIST to continue its work on a defined cybersecurity framework.

Our clients are in frequent disbelief that this regulation applies to their particular contracts.  We tell them the answer is simple: If your company processes, stores or transmits CUI, or provides security protection for such components, then you can be certain compliance with NIST 800-171 is required. And with the Dec. 31 deadline just eight months away, it’s time for procrastinators to get cracking.


Request a NIST Compliance Consultation

With the trusted cybersecurity professionals at Base2 Solutions in your court, your company can efficiently and effectively move through the process to reach compliance before the deadline. Submit the contact form on the right and gain the peace of mind that comes with knowing your company can continue to accept government contracts, while complying with the NIST 800-171 standards, or even move to the next level of security. It will be December 31, 2017, soon enough. Are you ready?