Importance of Being NIST SP800-171 Compliant

April 4 2018

Importance of Being NIST SP800-171 Compliant

The National Institute of Standards and Technology published the standards in NIST SP800-171 for all contractors and subcontractors for the United States Department of Defense (DoD). This was required by Dec. 31, 2017 and focused on safeguarding Covered Defense Information (CDI) and reporting cyber security incidents.

So what exactly is NIST SP800-171?

NIST SP800-171 followed a presidential executive order directed at all federal agencies and all non-federal agency involved in government contracts. The order made these entities responsible for a set of controls that protect Controlled Unclassified Information (CUI) from falling into the wrong hands.

NIST SP800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). The focus is on building cybersecurity by turning attention to how desktop and laptop computers, cell phones, tablets, servers and cloud storage system use, store and protect sensitive information.

In this way, the Department of Defense is providing an elevated common standard for cybersecurity among its providers.

Does it Matter?

In order for contractors and subcontractors to do business with government entities such as the Federal Aviation Administration (FAA), they must be compliant with NIST SP800-171. Further, contractors that wish to do business with entities such as Raytheon, Lockheed Martin, and other prime contractors also must comply if they wish to continue participating in government contracts.

Skirting these requirements while maintaining government-connected contracts leads to a host of business problems. First, contract termination is the most obvious risk. Whether the non-compliance lies with the prime or subcontractor, the prime contractor would be held responsible. Criminal fraud and breach of contract litigation are additional risks of non-compliance where it is now required.

With these risks and much of the responsibility falling to prime contractors, NIST SP800-171 has pushed outside the boundaries of government work. As the threats related to cybersecurity only increase, the need to address them spreads. Therefore, like any quality or security control, the benefits extend to all partners that do business with a manufacturer in compliance with NIST SP800-171.

Flow Down and NIST SP800-171

NIST SP800-171 is currently a self-regulated set of standards but prime contractors such as Raytheon and Lockheed Martin are finding ways to substantiate evidence of compliance.

As the lead contractors, risks associated with CUI fall heavily with these businesses, including those that may occur within the confines of a subcontractor. Consequently, NIST standards are now regulated more by the prime contractors as they pass these requirements down to their subcontractors.

EXOstar is another prime supplier that manufacturers can use to help find qualified subcontractors. This third-party software collects documentation and answers to compliance questions that help prime contractors determine NIST qualification of their subs.

NIST at Levison Enterprises

As an electronic contract manufacturer (ECM) that is committed to quality, the NIST SP800-171 requirements fell in line with much of the work we were already doing out of good practice. We have always been and remain committed to increasing security for government and non-government contracts alike, so compliance was a natural step for Levison Enterprises.

Though there is no specific process for certifying, as a subcontractor for prime government contractors, Levison Enterprises committed to fully complying with NIST SP800-171. Like many quality certification standards, compliance means self-regulating and documenting adherence to the requirements.

This involved a third-party GAAP assessment and testing to meet specifications. Initial training and ongoing training keep Levison Enterprises connected with potential cybersecurity threats and ways to protect against them.

For Levison Enterprises, much of this work is focused on document control. While there are many guidelines within NIST SP800-171, this is the area most in line with our work as an ECM subcontractor.

Document Control at Levison Enterprises

Levison Enterprises works to continuously define Controlled Unclassified Information (CUI) as it relates to our business and the business of our partners. In many cases, there may not be clear guidance on what is CUI or not, so we work with our prime contractors to clarify for added precaution.

We have developed comprehensive Data Flow Diagrams (DFDs) to identify where CUI is stored and processed in our network system. Where possible, we prefer to segment CUI data away from all other data storage to help build better security for the CUI.

Levison Enterprises also maintains documentation regarding how, when, and where CUI controls are applied. These controls may be in the form of policies and procedures or they may be specific technology solutions that are created for specific types of data.

Generally speaking, regulations are not something that people usually cheer. NIST SP800-171 was no exception to this, but it has driven steps in the right direction toward countering cybersecurity threats in the United States. Intellectual property theft is a serious problem within manufacturing as it leads to a host of other serious issues that threaten human safety.

By taking NIST SP800-171 seriously, along with the many other safety and quality certifications that Levison Enterprises holds, we are doing our part to reduce the risks and potential impacts of cyber security on our business partners and, ultimately, consumers.

Let’s talk about Levison Enterprises’ commitment to data security can support your production needs. Contact us today.

Tags: Quality, Certifications, Electronic Contract Manufacturing

New Call-to-action