How Mobile Devices Can Complicate NIST 800-171


How Mobile Devices Can Complicate NIST 800-171


NIST 800-171 has a variety of requirements that are meant to ensure that sensitive information that resides on a contractor’s system remains protected. One set of requirements mandates that mobile devices follow information security protocol in order to guard against a breach. This requires contractors to devise and apply a solution so their employees do not have to carry a separate device for work matters. The good news is there are solutions available that allow employees to work on their own phones.

An organization cannot simply allow users to connect to its system from their own mobile device. This would make the information housed on the system rife for hacking. Mobile devices can carry malware which can infect the information system of the employer. In order to prevent this, there must be multi-factor authentication and other strong security protections in order for the employee to access controlled unclassified information from their mobile device. In the past, this was extraordinarily difficult to accomplish.

Now, much of the focus of securing this information is on the data itself as opposed to the device, allowing users to bring their own device. This is done through a containerized workspace that can completely separate business data from personal data. This will segregate the personal functions on the phone and keep them entirely walled off from the business functions, allowing employees to access work information without being imbued with anything originating from the personal side.

Still, not every type of architecture can satisfy the mobile requirements of NIST 800-171. There must be an effort focused on making this data difficult to access. In other words, a user should not be able to simply go on to their mobile device and immediately be able to access any sensitive information that they wish. Companies should consider biometrics and password management solutions in addition to multi-factor authentication. This should be used in conjunction with 256-bit encryption to protect the sensitive data and allows for a secure solution that can be integrated with a user’s own device.

When this system is successfully in use, the information will be compartmentalized on the employee’s device. Should they no longer need or have permission to access the data, it can easily be removed from the user’s device without affecting anything else housed on the device? Ensuring a physical partition on the mobile device is one of the only ways that will permit companies to allow employees to use their personal devices for work. Outside of that, the company will have to provide not only the device but will have to pay for a monthly service for its employees.

It is imperative that users apply the same cybersecurity principles and rules to mobile devices. NIST 800-171 demands it, and if contractors do not follow these cybersecurity standards, they will eventually be out of the government contracting business. Should their networks be breached from a mobile device, the contractor will face serious business and reputational consequences. For more information about NIST 800-171 requirements, contact ComplyUp.

Symantec Contributes to NIST 800-171 Compliance


Symantec Contributes to NIST 800-171 Compliance


Much of the United States’ response to the cybersecurity threats facing the nation is a result of coordination between companies and other entities. The underlying assumption is that when information is shared, there is a more effective response to the threats. With that in mind, the Department of Defense initiated the Defense Industrial Base Cybersecurity Program. Recently, Symantec, an industry leader in cybersecurity, announced its plans to join the program.

The DIB Cybersecurity Program is a public-private partnership that provides participants in the program with classified and unclassified information regarding potential threats. In addition, participants also receive best practices regarding information assurance to assist them in their own cybersecurity efforts. By participating in this program, contractors can receive the information necessary to help them exercise better situational awareness with regard to any threats that could potentially compromise the information that is on their systems. At the same time, the participants in the program can share information that they have learned through their own cybersecurity efforts. While companies have their own proprietary processes, the information that they feed into the program can help improve the overall national cybersecurity defense effort.

The DIB Cybersecurity Program is not open to every contractor. In order to join, a contractor will need to have security clearance, the permission to view classified information, and the clearance level to view the particular type of information that they are seeing. While compliance with cybersecurity standards is mandatory, participation in the information-sharing program is voluntary. For this particular program, contractors put their profit motives aside in order to cooperate for the greater good. The program operates under the theory that cooperation works best to protect vulnerable information systems.

Symantec is one of the larger information security companies in the United States. The company has 123 million attack sensors and 175 million protected endpoints at its disposal. Its participation in the program is seen as bolstering cybersecurity defense since there is a national interest in strengthening a large cybersecurity contractor. At the same time, the information that Symantec can share will aid national security since it is one of the companies that is best positioned to learn of new cybersecurity threats as they emerge.

Symantec has been active in providing solutions that assist with NIST 800-171 compliance, which are cybersecurity standards with which companies must certify their compliance in order to do business with the federal government. They are aimed at protecting sensitive information that is housed on contractors’ business systems. Compliance companies such as ComplyUp have been helping government contractors implement the requirements of these standards and can help these contractors stay on top of necessary developments.

The NIST standards have been one of the latest moves in a growing federal government effort to combat the myriad of cybersecurity threats facing the country. Recent examples of hacks have exposed the vulnerability of many information security systems. As a result, cybersecurity defense has been a major priority of the Trump Administration.

Data Breaches Can Be Far More Costly Than Compliance


Data Breaches Can Be Far More Costly Than Compliance


A data breach can be a business’ worst nightmare. The costs of a breach are substantial and can have a negative effect on both the reputation of the company and economically as a whole. Not only are data breaches embarrassing and angering to those who had their information compromised, but there may also be some regulatory liability for a business that is hacked, especially if the measures taken to protect the information were not stringent enough.

A recent study has demonstrated the costs that are associated with data breaches. This study pegged the cost of the average data breach at $3.8 million, and this does not even factor in the costs for the large data breaches in which millions of records have been stolen. The costs associated with these hacks result from a variety of different measures that businesses must take when they learn that their systems have been penetrated.

The first thing that a business must do once it learns of a data breach is to contain it. This requires intensive activity, and containing the hack, unfortunately, does not happen overnight. Instead, it can take businesses months to secure their information systems again. Until a business can get control of a situation, countless hours of overtime may be necessary, and the costs for this can add up fast. In addition, there are steep legal costs too, as there are a variety of threats in that area in the wake of a data breach as well. The regulators will come fast, and legal help is necessary to deal with most of these inquiries.

Data breaches will almost assuredly cost companies some business. If the client is the federal government, the fact that there was a data theft in a previous contract could affect the company’s ability to get new contracts in the future. In the event that private clients have their information stolen, they will also be extremely hesitant to trust that company in the future. Unfortunately, much of a business’ value comes from its brand and a data breach will surely tarnish that brand.

It behooves companies to make sure that they follow the applicable cybersecurity standards. By protecting their information systems, companies stand a better chance of avoiding a large-scale hack that can place their future business at risk. The NIST standards that have been made mandatory to follow by the DFARS provide a starting point for companies that want to secure their networks. By complying with NIST 800-171, businesses can point to tangible efforts they have made. While hackers are determined and may still have the ability to penetrate a network, when a business is compliant with the rules, they can point to those efforts they have made in protecting their networks, and it can help placate regulators and the federal government customer(s) if there happens to be a data breach.

Compliance solutions for NIST 800-171 can help contractors in their efforts to make sure that their systems are protected. An investment made today on the front end will not only help a contractor keep its contracts, but can also save it from costly issues that may arise in the future.

Maryland Now Offers Defense Cybersecurity Assistance Program


Maryland Now Offers Defense Cybersecurity Assistance Program


Maryland-based DoD Contractors who use ComplyUp’s DFARS/NIST 800-171 Compliance Solutions may qualify for financial assistance through The Maryland Defense Cybersecurity Assistance Program (DCAP).

Defense contractors are prevalent in the areas surrounding Washington DC, particularly Maryland and Virginia, and have a large impact on the economy, as they amount to a sizable proportion of the tax base in these areas. In fact, defense contractors in Maryland have $57 billion of economic impact annually.

To ensure businesses continue to grow and become profitable, the State of Maryland is now providing contractors with assistance in complying with the new DFARS cybersecurity standards, administering a program to distribute federal grant dollars to local contractors to help them become compliant with these rules.

Compliance with these standards is an existential issue for those that do business with the federal government. If these businesses fail to account for and follow these new rules, they will lose the ability to get new contracts and even keep their existing ones. As a result, it is in Maryland’s best interests to help its contractors remain in business. If Maryland contractors can no longer do business with the federal government, the work will simply migrate to other states and Maryland will become less competitive.

The new program is administered by a public-private partnership that is aimed at supporting the defense contracting industry in Maryland, and is run by the Maryland Defense Cybersecurity Assistance Program. Specifically, this program is funded by the Maryland Department of Commerce and is run by the Maryland Manufacturing Extension Partnership. This partnership counts both state government agencies and industries as its members.

There are three different types of grants available. Contractors can receive assistance for NIST 800-171 gap analysis, remediation, or tools, hardware and software services.

The program itself imposes requirements on who is eligible to participate. First, contractors must have a physical location in the State of Maryland. They must also derive at least ten percent of their revenue from work related to the Department of Defense. Alternatively, they should have a procurement request for compliance with the DFARS rule. The program is funded by Department of Defense’s Office of Economic Adjustment and is administered by the Maryland state government.

Compliance with these rules is a pressing issue for contractors who not only have to follow the standards themselves, but also make sure their subcontractors are in compliance. Since the money that funds this program comes from the Department of Defense, there are similar programs in other states, such as Indiana and New York. Each program has its own specific rules for participation unique to that particular program.

For contractors, these new rules present a challenge that can be costly and time-consuming. Government suppliers are better off if they can take advantage of every resource available to cut their own costs of compliance with the NIST standards. By fully complying with these requirements, contractors can maintain their business with the federal government.

NIST 800-171 Isn’t Just a Regulation, It’s Smart Business


NIST 800-171 Isn’t Just a Regulation, It’s Smart Business


Getting NIST 800-171 Compliant isn’t just about satisfying a regulation, it’s smart business. Hacks can come from anywhere and target anyone. Not only can your business get in hot water with the government for failing to be compliant, you could be in an even bigger mess if a hack is the result of negligence on your part.

Recent hacks of systems belonging to United States companies have been validation of the reasons behind the new cybersecurity rules that contractors must follow in order to do business with the United States Government. Foreign nation-states have been behind several large scale hacks and have managed to penetrate the systems belonging to several contractors. While the NIST standards and DFARS rules have been effective for some time, contractor information systems are still at risk of foreign penetration efforts.

Several high-profile intrusions and information thefts caused a change in the way that the government views its information and the contractors whose information systems house it. While the government must take pains to protect sensitive information, contractors were not subject to standards for their own systems, even though they could function in the same role as the government. This changed with NIST 800-171 which contained cybersecurity standards that contractors must follow. These are requirements for anyone hoping to obtain or keep a contract with the federal government.

Even with the new rules, problems still abound. Hackers from China have been active in trying to access contractor systems. In some instances, they have been effective. It has been reported that Chinese hackers have accessed the systems of numerous contractors who do business with the United States Navy. In addition, when the computers belonging to Marriott Starwood were breached, the hackers gained access to information about movements of United States Government personnel.

Even though there are new standards in place, the risk of cyber attacks has not gone away. If anything, hackers associated with nation-states are doubling their efforts to gain entry to sensitive information stored on contractor business systems. While the effective date of these standards has passed, there are still many issues because not every contractor is in full compliance yet. Further, every subcontractor must also comply with these rules. Oftentimes, these subcontractors are smaller entities that have trouble mustering resources to fully comply with these rules. Eventually, the contractors will be held responsible for the errors of their subcontractors because the onus is on them to make sure that they enter into subcontracts with those in compliance. In essence, hackers are doing what they can to test the systems of contractors, knowing that they may still not be fully compliant with new cybersecurity rules.

The threat and the intrusions are not limited just to Navy’s contractors. The Department of Defense has its own vulnerabilities that China and other nations are trying to exploit. Even information pertaining to ballistic missiles is at risk of being misappropriated by foreign entities.

To the extent that contractors can take steps to protect their information systems, they must do so. Not only do contractors have an obligation to the government with whom they transact, but taking vigorous steps to enhance cybersecurity is also a good business practice. Cyber breaches are both costly and embarrassing and many businesses have trouble surviving the hit to their reputation if their laxness leads to a large-scale theft of information from their systems. Compliance solutions can help companies take steps to shore up their systems.

The Importance of Having a NIST 800-171 Compliance Checklist


The Importance of Having a NIST 800-171 Compliance Checklist


Why a Checklist Helps Solve NIST 800-171

The requirements that are imposed by NIST 800-171 are extensive and leave little room for error on the part of the government contractor. One mistake is all that it takes to leave controlled unclassified information vulnerable when it resides on a contractor’s system. Possible consequences for non-compliance include the potential loss of all government contracts and debarment as a government contractor. Given the possible repercussions, compliance with these requirements becomes an existential issue for businesses.


Knowing how high the stakes are, contractors must consider the best way to comply with these rules. Without the proper planning and foresight, critical aspects of compliance may be missed. Since compliance is a process that proceeds in multiple steps, it may sense to plan out the steps before they occur and monitor them as they are being executed.

Don’t Miss a Step

When going through a large systemic change such as NIST 800 171 compliance, it is easy to miss a step or even a small detail. Since everything flows together, even the smallest of details can trip up the unsuspecting contractor. The rule requires 110 different areas of compliance across 14 different categories, so there is plenty to track.

With that in mind, contractors should consider drawing up a NIST 800 171 compliance checklist. This will keep the business organized and ensure that they do not lose sight of any critical steps when it comes to meeting the obligations of these rules. This checklist should break compliance steps into every piece of action that must be taken and should be composed ahead of time and updated as things change.

Prepare Beforehand

Before a contractor even draws up a compliance checklist, they should scrutinize each of their contracts to understand what the cybersecurity requirements are. There could be additional requirements beyond those which are required by NIST 800-171. These would be contained in various contract clauses that are included in each contract. Contracts with the Department of Defense will include the DFARS clause that makes NIST compliance mandatory. Contracts with non-DOD agencies may have other requirements.

A sound NIST 800 171 compliance checklist will involve the identification of all relevant areas. Each specific area will be categorized and assigned a baseline control. Each baseline control should be tested. In addition, the checklist should state how each area will be continuously tested. Further, the compliance checklist will set forth the meaning of each requirement next to the requirement so everyone is clear on what the requirement actually means.

Be Organized

Organization and preparation are the keys when compiling a NIST 800 171 compliance checklist. If everything is coherently enumerated ahead of time, compliance with the cybersecurity rules will be a matter of executing a previously planned set of events. It is the foresight and the planning that will make this a smoother process. Contractors are already intimidated enough by these extensive new mandates and any hint of disorganization will only make a difficult process worse. Compliance solutions from a NIST 800 171 expert can help your business better devise a checklist that will make following these new rules easier.

Updates on Securing Controlled Unclassified Information


Updates on Securing Controlled Unclassified Information


Big changes are on the way when it comes to controlled unclassified information. There is an amendment to the Federal Acquisition Regulation that will apply certain requirements for security to contractors outside the Department of Defense. Additionally, some of the underlying requirements may be changing because more stringent cybersecurity measures may be required by government agencies.

NIST CUI Updates

The new government contracting rule addresses how contractors deal with CUI. This involves information that is sensitive, but not considered to be classified. Federal government contracts will need to include a provision that dictates how contractors will dispose of CUI that they gain in the course of performance of their government contracts. The new rule will also include provisions for safeguarding and marking of CUI. The FAR case is based off of a rule that was issued in 2016, and applies to the executive branch. Now, it will be required to apply to contractors as well.

Since this new rule will be in the FAR, it will be a factor in whether contractors are eligible for award and whether they have complied with their contracts. Government agencies will likely have to make this clause mandatory in all of their contracts that are signed. Cybersecurity may also well become an evaluation factor in many contracts that involve the use of information systems.

Optional Cybersecurity Measures

NIST 800-171 serves as the basis for this rule. It requires “adequate security” for the information. However, NIST 800-171 will soon be changing. Agencies will be able to prescribe that contractors follow even more stringent measure to protect CUI. “Adequate security” will simply be the baseline, but agencies may be able to ask for more and contractors will need to comply. Contractors could choose to implement this level of security on their own, even if they are not required to do so by the agency.

NIST 800-171 provides the bedrock principles and protection measures when dealing with CUI. However, this area is rapidly changing as the regulatory agenda moves towards greater cybersecurity protection. Those who do business with the federal government can expect further continued evolution in this area.

Government Assistance

As the new rules take hold and more entities within government assert their right to audit contractors for compliance, there are many issues with figuring out who the proper entity is to conduct the audit. Without a single unified regulator, contractors could be aiming for compliance with different targets. Multiple regulator authority often creates unnecessary confusion. There will likely be a single entity in the future to assess compliance with these rules. Currently, contractors certify their own compliance and then are subject to audits. In the future, there will be more clarity about the process, especially when audits are conducted by a single federal entity.

Given the rapid changes in cybersecurity requirements when dealing with the federal government, your business is best off getting as much help as possible. There are NIST 800-171 compliance solution that are available that can help your business keep track of and meet these ever-changing requirements.

NIST 800-171 Consultant Alternatives


NIST 800-171 Consultant Alternatives


In the wake of the effectiveness of NIST 800-171 and its incorporation into the DFARS, you may be wondering how your business can best comply with the new requirements. Whatever compliance method you choose, the stakes are very high for your business, as failure to comply with these requirements can have dire consequences, such as the loss of contracts with the Department of Defense. Still, you do not want a solution that will cost too much and render your business unprofitable. The process that goes into choosing a compliance solution can be difficult. For some, it may make sense to hire a consultant but for many, this is too pricey of an option.

Nist 800-171 Consultant

There are generally 3 routes contractors choose from. Hiring a consultant, doing it themselves, or using compliance software.

Hiring a Nist 800-171 Consultant

While a consultant may have some helpful benefits for your business, they are not always the best. Essentially, you will have to weigh the benefits that a NIST 800-171 consultant can provide versus the costs that are involved in hiring that consultant. These consultants can be pricey and the costs do add up quickly. Many of the businesses that are figuring out how best to comply with the new requirements are small businesses and may not be in the best position to pay the consultant’s hourly rate. In the end, costs can be in the tens of thousands.

Do-it-Yourself DFARS Compliance

At the other end of the spectrum, you can try to do it on your own and avoid as many costs as possible. While employing a do-it-yourself solution is always going to be the cheapest option, it may not always be the most cost-effective. These new requirements are very involved and require multiple precautions to be built into your information systems. This, of course, will require the investment of your time, and as you know, time is money. Given the importance of this area, this is not a place where you can afford to fail. There are many risks that go along with attempting to do this on your own. Not to mention, it can be easy to make mistakes and have the process take even longer.

DFARS Compliance Management Software

The middle road to choosing between do-it-yourself and hiring a consultant is using a guided process. This was why we created ComplyUp, a Compliance Management Platform to guide you through the process of getting compliant. When you use our system, you get the benefits of a consultant with the cost savings of doing it yourself. We ensure you are not left to your own devices in regards to DFARS compliance and pay a fraction of the cost in hiring a NIST 800-171 consultant. Our software is programmed with the knowledge that will walk you through the compliance process step-by-step. When you use the software to achieve compliance with NIST 800-171, you save both time and money. In other words, you get the best of both worlds.

Our solution can help take the worry out of what is a very stressful area for many contractors. Because the product is a software platform, you are never left alone in securing the CUI that may be on your servers. Our system will be able to help you assess the environment, figure out the steps to take, and document the results in a System Security Plan. This is everything that a consultant would do for you but at a fraction of the cost. At the same time, you will also not be spending valuable time trying to figure out everything on your own.

National Cyber Strategy and the DFARS Mandate


National Cyber Strategy and the DFARS Mandate


Recently, the United States Government has indicated that it will step up its efforts to address cyber threats both domestically and internationally. Both the White House and the Department of Defense have released updates of their cyber strategies that detail the fundamental pillars of an effective cyber defense. In this environment, DFARS compliance is now more important than ever for contractors.

While many of these strategies focus on how the United States will operate in the international arena against hostile state actors, there is also a notable focus on defending domestic networks from cyber threats that could compromise them. Each one of the plans includes the protection of the homeland as a pillar.

Presidential Seal

Presidential National Cyber Strategy

In the White House plan, there are several elements to the protection of our domestic system. The first element is the one that relates closest to NIST 800-171. This element of the pillar calls for securing federal networks and information. The report recognizes the criticality of protecting information that is housed on contractor information systems. The White House Report foreshadows that there will be a unified standard across all of the federal government that will be used in all acquisitions that measure contractors’ information systems.

The White House is particularly concerned about information that belongs to the DOD. The report cites the end result of NIST 800-171 when it says the federal government will be able to assess its data’s security by reviewing the contractor information system. This demonstrates the federal intent to make this an area of focus going forward.

Department of Defense National Cyber Strategy

Similarly, in the DOD report, there is also a heightened focus placed on securing DOD information that is housed on non-DOD systems. The DOD seeks to secure its own networks against malicious cyber attacks. Given the new requirements that contractors face, contractors should take the DOD’s cyber priorities seriously when it says it is seeking to protect its own information no matter where it is housed. The DOD has its own investigative arm, the Defense Contract Audit Agency, that can unleash to perform audits on contractors’ information systems. Thus, you can rest assure that the DOD actually will make this a firm priority in the future.

Contractors will need to ensure that they maintain compliance with the new NIST standard on from now on. If they fail to maintain their DFARS compliance, contractors can lose not only the contracts they have with the United States Government, but they can also be suspended or debarred as government contractors. This is not a position in which anyone who wants to do business with the federal government would want to find themselves.

In order to comply with the NIST standards that are aimed at protecting controlled unclassified information, there are a few different compliance options a contractor can use. One of the most cost-effective options involves a NIST 800-171 template. This template will provide your business with the outline of a compliance solution so your business will not be on its own in this vital compliance area. At the same time, this option will be considerably cheaper than hiring a consultant to assist you with compliance.

The Honeymoon is Over, Audits are Coming!


The Honeymoon is Over, Audits are Coming!


The Defense Contract Management Agency is an agency that can often strike fear in government contractors. DCMA conducts audits of government contractors to make sure they are complying with laws and regulations. As of recently, it appears that the DCMA is set to turn its auditing focus toward compliance with NIST 800-171.

NIST 800-171 sets forth steps that contractors must take in order to secure their information systems that house nonclassified sensitive information. Compliance with these standards becomes a legal part of every contract with the Department of Defense considering the NIST standards are incorporated into every contract through the DFARS. If contractors do not maintain their DFARS compliance, they cannot do business with the federal government.

Nist 800 171 Audit

The NIST standards were scheduled to become effective on December 31, 2017. Government officials were adamant that the deadline was firm and contractors would have to immediately be in compliance with the standards; however, prior to that deadline, the government clarified that the deadline only applied to the requirements for a System Security Plan and a Plan of Action. After the December 2017 effective date, there was an update to the standards that clarified a few specific areas. While the update indicated a more relaxed approach to how the DOD would interpret the standards, it also brought the date closer to when these standards would be enforced. DOD is making it increasingly clear that they intend to conduct audits in the near future in this area.

A DCMA audit is a scary experience for many defense contractors. Businesses never quite know when an audit is coming and the DCMA can be relentless. Regardless, a DCMA audit does not have to be a traumatic event for a business. Contractors can start preparing the day they receive the notice that they will be audited.

There are several steps that contractors can take to anticipate and prepare for a potential audit. The good news is that contractors do not need to go at it alone, and can receive help in their DFARS compliance efforts. Matters that address information security can be complicated and time-consuming; however, by hiring the right service provider, a contractor can relieve some of that burden and free themselves up to focus solely on their important business issues.

ComplyUp offers a solution to help government contractors comply with their standards. The company has a compliance solution that can take some of the fear and mystery out of such a sensitive area. Their solution offers contractors a step-by-step method to help them properly follow the standards. By using ComplyUp, contractors will know exactly what is expected of them and can take the necessary steps to avoid any issues if DCMA shows up at their door. ComplyUp’s products rely upon technology in a way that takes some of the uncertainty away and makes it easier to deal with compliance.

When it comes to these NIST standards, you do not need to fear an audit if you have taken the right preparations in advance. Because of the stakes that are at play, it is vital that businesses take the right steps and secure assistance if they need it. When it comes to the existence of a business, it is always better safe than sorry.