Does Your Organization Meet All NIST Requirements?
Is your organization prepared to demonstrate NIST 800-171 compliance?
As of 2017, any entity that processes or stores US government Controlled Unclassified Information (CUI) — government contractors, research institutions, consulting companies, manufacturing contractors — must comply with the stringent requirements of NIST 800–171 or be prepared to face a myriad of risks, including the loss of contract renewals, newly won bids, or the ability to secure future contracts.
NIST 800-171 Compliance and the Upcoming CMMC
The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the data and information systems of federal agencies. If your organization specializes in these spaces, the NIST compliance framework should not be a stranger to you.
Initially, the NIST 800-171 was meant to be a “common sense” set of guidelines for any organization seeking to improve their cybersecurity. Unfortunately, since compliance with NIST 800-171 became a requirement in 2017, contractors have been inaccurately self-attesting to NIST 171 compliance, which has resulted in serious cybersecurity deficiencies, security breaches, and delayed projects. In response to this, the DoD announced the impending launch of the Cybersecurity Maturity Model Certification (CMMC) in September 2020. Once officially released, a CMMC certification will be required in place of self-attested NIST compliance.
The government defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies” but isn’t considered sensitive enough to earn the status of “Classified”.
The good news is you can get ready for the CMMC today, by partnering with a third-party auditor (C3PAO) like Withum to perform a NIST compliance audit and cybersecurity assessment.
Consequences of NIST 800-171 Non-Compliance
If an organization is found to be out of compliance with NIST 800-171 (and the soon to be CMMC), they risk losing any current contracts or newly won bids, as well as being prevented from closing any additional contracts in the future. Plus, the reputational damage of being non-compliant can have far-reaching consequences. Below is a brief timeline on the expected CMMC rollout:
- January 2020 – CMMC Compliance Checklist to be released
- June 2020 – CMMC requirements will appear in RFIs
- September 2020 – CMMC requirement will appear in RFPs
How to Become NIST 800-171 Compliant
Since self-attested NIST 800-171 compliance will no longer be accepted, this means organizations should prepare for the CMMC now by becoming NIST 800-171 compliant as soon as possible. Any type of cybersecurity audit takes time, and a NIST compliance audit is no different. Once the CMMC is released, the last thing companies want is to be scrambling about trying to tie up loose ends and/or fixing surprise noncompliance issues. The best way to get ready for the CMMC is to follow these steps:
- Understand the NIST 800-171 compliance requirements
- Analyze current cybersecurity measures and processes
- Identify any security breaches or compliance gaps
- Put measures in place to meet NIST 800-171 compliance
Why Partner With Withum for NIST Consulting
With over 20 years of experience in the areas of cybersecurity, digital forensics, and data privacy, Withum’s security consultants and auditors have seen it all. We’re well-equipped to help organizations of all sizes prepare for the CMMC by meeting NIST 800-171 compliance. Even though the CMMC is months away, DoD, GSA, and NASA contracts (among others) require NIST 800-171 compliance now.
Market Leader, Withum Digital
Practice Leader, Digital Solutions