NIST Compliance Case Studies
We Know How Daunting NIST Compliance Can Be
MRC’s journey from novice to NIST expert leads to a continuous compliance solution for other small businesses
As CTO for a mid-size defense contractor, the daunting task of coordinating our NIST SP 800-171 compliance effort fell on my shoulders.
The deadline for implementation was December 31, 2017 and the consequences of procrastination could mean significant loss of business, or worse. For me, the prospect of seeing our 300-person organization—with a 70-year history of providing engineering services to the U.S. Navy—penalized for noncompliance or unable to bid on key contracts was unacceptable.
Something had to be done.
When we at McLaughlin Research started our journey toward NIST SP 800-171 compliance, we had only a vague idea of what it would entail. When we plunged deeper into NIST SP 800-171, we realized it was a massive undertaking. Implementing NIST SP 800-171 can be fraught with obstacles. A main problem is interpretation. The 110 requirements are written in language that is vague, at times opaque. To successfully implement NIST SP 800-171, one needs to know the rules inside and out, read between the lines, and anticipate what they don’t explicitly state. The time it takes to learn these is time your typical IT leader doesn’t have. IT professionals supporting small-to-mid-size DOD contractors are often overworked and underfunded. How can they be expected to simultaneously put out the myriad fires and methodically work through inches of complex guidance documents?
My early assumption was that we would coast through compliance, a few security updates here, some policy tweaks there. Wrong.
We queried a half dozen cyber risk-assessment firms, some big, some small. The unified answer was that a turn-key solution did not exist; and neither did companies offering NIST expertise in our price range. A piecemeal solution from one of these established consulting firms was going to cost a fortune, perhaps more than $150,000 in the first year alone. Since NIST requires continual updates and improvements, what would we be paying year after year? And there was the real possibility that we would still fall short of NIST SP 800-171 compliance. In parallel, our existing contracts were being modified by the government and prime contractors to include the newly updated DFARS 252.204-7017 regulation requiring all DoD contractors to be in full compliance by December 31, 2017. That’s when panic set in.
We decided to take the costly approach to build what previously did not exist. First, we developed a network appliance to address the auditing and accountability requirements of NIST SP 800-171. We and our auditors would have access to all our cyber data in real-time, visualized in an elegant and intuitive dashboard. After an internal audit showed us that our written cyber policies fell short of the NIST SP 800-171 mandates, we built a second tool, a policy builder. This “TurboTax” style tool allowed us to input our compliance notes and automatically output a System Security Plan (SSP) and Plan of Actions and Milestones (POAM) that the government contracting officers require to be eligible for new contracts. Our path to compliance was costly – over $200,000 to date.
With the mystery of compliance removed, we sought to scale our solution and pass it along to other contractors and a plug and play compliance tool – NeQter Labs, LLC was born. With some simple, well-designed tools, we made NIST SP 800-171 compliance achievable and affordable for everyone so they can avoid the complex and expensive path to compliance.