Another data disclosure fiasco is in the news now. Data from fitness monitors is apparently giving away troop and base locations around the globe. It is somewhat surprising given the frequency of disclosures like this that a fairly significant deadline concerning information security just passed by with hardly any notice. The deadline was for any firm doing business with the U.S. Government or with subcontractors of those firms. It was set by this simple-sounding directive:
All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.
The directive refers to a set of requirements that flow from something called NIST 800-171. NIST stands for the National Institute of Standards and Technology, part of the U.S. Department of Commerce. The NIST Security Framework emanated from a 2013 Executive Order intended to improve Cyber Security. While not as widely known as ISO 27001 which seems to be the gold standard for managing sensitive information, at least in the private sector, NIST and particularly 800-171, which I’ll get into in a minute, is an alternative that has some benefits. The standard is less prescriptive and therefore can be simpler and less expensive to implement while still carrying the imprimatur of the U.S. Government. NIST 800-171 is an offshoot, a subset really, of NIST 800-53 a more robust standard that was promulgated for Federal agencies. The newer standard is specifically for non-federal entities including companies doing business with the government.
It is a basic requirement for a firm to demonstrate to customers and partner firms that information security management is well controlled. Companies therefore, especially small ones, would be well-served to look at NIST 800-171 as an organizing framework for protecting information assts. It provides a full set of Risk Assessment principles and controls as well as a structure for executing, evaluating, monitoring and redressing risks and threats related to technology-related assets.
Not every firm is in danger of landing on the front page of the New York Times for giving away military secrets, but just about everyone can relate to the potential for some form of embarrassment if they’re found wanting in the attention they paid to cybersecurity threats.