NIST SP 800-171 Self-Compliance for SMBs
T-minus three months, and counting! December 31, 2017, is the date the Department of Defense (DoD) requires contractors to protect Controlled Unclassified Information (CUI) on their information systems.
The regulation states that contractors in the entire supply chain implement information security measures, or risk losing government business. As outlined in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), there are 110 security requirements that contractors must comply with. This is no small task! For an overview, please read our Coming Soon to a Government Contract Near You: NIST SP 800-171 Cybersecurity Standards blog post.
So, how are companies preparing? How are they assessing their cyber risk, updating security measures and documenting their policies and procedures? There are two main approaches: consulting services and self-compliance.
For large defense contractors with an existing (and probably robust) cybersecurity infrastructure, retaining a NIST specialist may be the way to go. An auditor or assessor that specializes in NIST requirements will help assess a company’s readiness and make recommendations to reach compliance.
Consulting firms, who specialize in NIST compliance, can help in a variety of ways. It depends on what a contractor needs. Some firms simply write required policies and procedures. Others provide hands-on assistance, set milestones, and map a path to compliance. Some will even implement recommendations, including the installation of hardware. Either way, the contractor is primarily responsible for implementing the consultant’s recommendations.
This injection of expertise is expensive—approximately $125 to $300 per hour, with the top firms charging as much as $1,500 per hour! It’s not unusual for consultants to charge $10,000 for the first week and $8,000 per week after that. This may be acceptable for large contractors who have multi-million-dollar IT budgets and a high level of risk and exposure. These large contractors can also deploy an army of in-house networking, IT and security professionals to respond to security gaps identified. For large contractors, consulting firms may complement their team nicely.
Spending tens- or hundreds-of-thousands of dollars is not for everyone. Small and medium businesses (SMB) don’t have the same financial resources as their bigger, contractor cousins. Nor do they have the same level of risk.
Even if SMBs hired security specialists, they still have to implement the recommendations, which will likely include purchasing and installing a new Security Information and Event Management (SIEM) tool, vulnerability scanner, log manager equipment. Given this, resourceful SMBs are apt to roll up their sleeves and tackle compliance themselves.
The benefit of this approach is that SMBs will become experts in NIST requirements. The learning curve will be steep. But, maintaining compliance will be easier in the long run.
Dissecting and mapping the NIST 800-171 requirements is a time-consuming process. Interpreting and comparing the requirements to existing policies and infrastructure involves a lot of back-and-forth. Companies often use spreadsheets to keep track of progress and identify gaps as they work through all 110 NIST requirements. Some consulting firms even offer Excel templates.
Cybersecurity solutions exist, too. These robust, enterprise-level solutions offer event logging and vulnerability management tools that are needed for NIST compliance. But, these tools are not NIST-specific, and are overkill for SMBs. Most of these solutions are hosted applications. Pricing varies on use and frequency, ranging from $1,999 per year to $14,000 per month!
The NeQter Labs Story
McLaughlin Research’s cybersecurity division, NeQter Labs, is the result of self-compliance. We reviewed all of the options presented in this post. We even purchased one of the Excel templates mentioned above. As a medium-sized contractor with limited resources, we quickly decided to take the roll-up-your-sleeves approach to compliance.
A tool that we initially developed in Excel became a simple, intuitive web application— our System Security Plan (SSP) builder. After interpreting the NIST requirements, we added prompts to guide us through the assessment process (and serve as reminders in the future).
We also built our own network security appliance that’s right-sized to NIST requirements. No more, no less. It provides real-time network monitoring, vulnerability scanning, log management and will even send alerts about irregular activities, potential breaches, internal threats, and other incidents.
There are a number of approaches contractors can take towards achieving NIST compliance. Contractors must balance their needs with resources, expertise and budget. While the average SMB may not want to develop its own solution or start a cybersecurity division, self-compliance is beneficial, in the long run.