NIST compliance would be difficult enough, even if it wasn’t constantly changing and updating.
Federal contractors have long been required to meet certain standards for the protection of classified information, and as the industry and technology have changed, so have those standards.
That’s why this Central PA Engineering Firm got in touch with MicroXpress…
MicroXpress first partnered with this engineering firm back in 2011. The firm wanted to outsource their IT support and knew they could trust us to manage their IT needs while they focused on their work with the Department of Defense (DoD).
Since 2016, we have been directly managing their compliance with NIST 800-171.
As a contractor for the DOD, Advanced Cooling Technologies participates in regular NIST assessments. They needed someone to assess their network security and implement the required security solutions, and chose MicroXpress to manage it for them.
The National Institute of Standards and Technology (NIST) was founded in 1901 by Congress to remove obstacles in US manufacturing competition. It intersects with business cybersecurity when it comes to NIST Special Publication 800 – 171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”
In 2016, NIST released NIST 800 – 171 to provide a cybersecurity framework that protects data not covered under a “Classified” label, but which still could prove dangerous for American interests should it be obtained by an adversary.
With NIST 800 – 171, it’s the contractor’s responsibility to safeguard all data and information related to any work performed for the DoD, including:
CUI is information created by the government or on behalf of the government that needs to be safeguarded. All government contractors are required by the government to follow the security guidelines to ensure adequate security by implementing NIST SP 800 – 171.
“CUI is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or Government-wide policy, as listed in the CUI Registry by the National Archives and Records Administration (NARA).”
The Department of Defense (DoD) uses the term Covered Defense Information (CDI) for its own coordinating rules for cybersecurity. It is the security of contractor information systems that store, process or transmit Federal contract information.
The Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules apply to Covered Defense Information (CDI). DFARS supplies a set of “basic” security controls for contractor information systems where this information is stored.
These security controls must be executed at both the contractor and subcontractor levels. It is based on the information security guidance in NIST Special Publication 800-171.
While there aren’t specific fines associated with NIST non-compliance, that doesn’t mean there won’t be consequences. If you’re not compliant, you’re technically no longer qualified to contract with the DoD—no matter which contracts you have in place or the professional relationships you’ve built over the years.
If you are under contract and are found to be non-compliant, and without having submitted variance requests or plans of action to fix noncompliance, then you would be in breach of contract, leading to monetary damages.
Furthermore, if compliance with NIST 800-171 was an evaluation factor in your contract, then noncompliance could lead to grounds for protest. You could even be found guilty for criminal fraud if you’re claiming to be NIST compliant, but it can be proven you weren’t and that you knew you weren’t.
Long story short—failing to be NIST compliant could lead to millions in lost revenue, reputational damage with governmental contacts, and even criminal charges.
The minimum cybersecurity standards are described in NIST Special Publication 800-171 and broken down into fourteen areas:
If an organization is not compliant, you’re technically no longer qualified to contract with the DoD—no matter which contracts you have in place or the professional relationships you’ve built over the years.
We ensure that this client’s networks are protected by industry-leading Fortinet firewalls that deliver a range of enterprise-class features, including:
Event Tracker provides SIEM-based Managed Detection and Response services. MDR is an outsourced service that provides organizations with threat hunting services and responds to threats once they are discovered.
MDR fully manages the client’s cybersecurity defense, both keeping an eye out for threats, as well as providing the expert team to address them when they occur.
MicroXpress is proud to provide MFA through our trusted, industry-leading partner Duo. This solution allows the client to add that extra layer of security to their business, ensuring only the right people can access their data
MFA enforces a strict security policy right at the time of access, as compared to other forms that require the installation of agents. When a user attempts to login using their username and password, they receive a push notification on a separate device to confirm the action.
MFA ensures that only users with both the security credentials (username and password) and an independent additional device (such as a smartphone) that corresponds to those credentials will be able to access the account.
This application control product follows zero trust methodology. The zero trust approach to cybercrime assumes that every aspect is a potential vulnerability until it can be confirmed otherwise.
That means instead of simply investing in a strong firewall and antivirus, and assuming the client is protected, every part of the client’s IT environment and every user trying to access it is assessed for its security.
A vulnerability scan is a systemic analysis of the client’s IT infrastructure’s performance and potential security vulnerabilities.
It examines all components of their network and how they are used by their staff to determine their degree of security. By scanning for gaps and misconfigurations, we work with them to reduce the risk of cyber-attacks.
The MicroXpress team monitors the performance of the client’s servers and network while staying up to date on the latest advances in its specific type of technology to make sure it doesn’t become obsolete.
Should their tech fall behind the times, we actively work to update their IT so that they never experience an issue due to outdated equipment.
We follow a precise process for managing our client’s NIST compliance:
Our compliance services begin with a comprehensive assessment of your IT systems, the findings of which are compared with compliance cybersecurity controls.
Our team will then develop a strategy to mitigate any risks of noncompliance, providing detailed documentation that you can demonstrate your commitment to compliance.
MicroXpress has been providing professional IT services to Central PA businesses since 1989. Watch this brief video to find out the Top Five Reasons so many local businesses are switching to MicroXpress for their IT support.