If you do any kind of military contract work, you are required to implement a minimum set of cybersecurity controls in your organization. The DoD requires all military contractors and subcontractors to adhere to DFARS 252.204-7008 which is essentially just a pointer to NIST SP800-171.
NIST SP800-171 is entitled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. It differs from the NIST Cybersecurity Framework (CSF) in that it focuses only on confidentiality and not on integrity and availability of data. According to NIST:
“Some SP 800-171 security requirements are not mapped to any CSF subcategories due to the scoping of SP 800-171 which is focused solely on protecting the confidentiality of CUI in nonfederal systems (i.e., security requirements supporting availability and integrity are not addressed in SP 800-171) and assumes some security best practices to be routinely satisfied by nonfederal organizations as part of conducting business.”
So what does compliance look like? What do companies have to do? Well, firstly, this requirement became effective on December 31st, 2017, so you’re already over 6 months past due if you haven’t started working toward compliance yet.
Secondly, there are 14 core requirements in NIST SP800-171 and they are:
Access Control – Least privilege, separation of duties, limit unsuccessful login attempts, screen lock after a certain time, encrypt CUI on mobile devices, wireless must have a password
Awareness & Training – Security awareness training, training on malicious insider threats (online or in-person)
Audit & Accountability – Each user’s actions must be able to be uniquely traced, synchronization of IT systems’ clocks, correlation of logs from different systems
Configuration Management – Server and workstation images that are hardened, application white/blacklisting