At the rate that many qualified service operators have been outsourced by the US federal government to do a wide range of projects and business functions that rely heavily on the federal government’s information system, a new major requirement is being insisted on by the Department of Defense on these service operators, whether they are contractors or subcontractors, so that they take necessary measures on cyber security as they are in access to the government’s Covered Defense Information (CDI) and that as early or on December 31, 2017, all their systems must be NIST Special Publication 800-171compliant.
NIST Special Publication 800-171 is an outlined general procedure and information that delineates how information systems and policies are to be set-up and complied by service operators to protect government information, particularly called Controlled Unclassified Information (CUI), which can directly affect the normal activities of the federal government to successfully deliver its operations. Many delicate and routine processing works are being done by outsourced service providers for the federal government, such as the following: providing financial services, Web, electronic email, cloud services, background investigations for security clearances, processing healthcare and developing communications satellite systems and weapons systems, all of these are serious data information that must pass and comply through government security clearance by way of NIST Special Publication 800-171.
If you are one of these hired contractors, you need to comply with the requirement or else you lose your precious contract, thus, here are suggested steps that can be taken to start in the compliance procedure: perform a gap analysis and establish an incident response plan.
By conducting a security analysis of your system processing, of which this is referred to as gap analysis, you need to check and go over all the control gaps of your network based on the policies of NIST Special Publication 800-171 and find out if your current projects and systems used comply and finding out which areas need to be compliant, such that in doing so you have to work this out with your staff by helping them investigate on the network map, as well as configurations, and thorough checking on the compliance checklist especially with respect to the processing treatment of Controlled Unclassified Information. When you have gotten the results of your gap analysis, it is suggested that a two factor authentication be added into your processing system to ensure that there are no shared passwords and come up with an incident response plan which requires for a well-explained plan on what to do during a cyber intrusion or attack or when there is an insider investigation.