The potential fallout from the failure to comply with National Institute of Standards and Technology (NIST) standards can be serious. It can hurt your ability to do business with the government or bid for contracts. It can hurt your reputation. If you are doing business with the government already, failure to maintain your compliance can lead to termination of your contract and put you in potential legal jeopardy.
What is NIST Compliance?
NIST is an agency within the US Department of Commerce that creates standards in the science and tech industries. NIST’s compliance standards assist federal agencies and contractors to meet requirements mandated under the Federal Information Security Management Act (FISMA) and other regulations. It’s not just used by government agencies, however. NIST creates a framework for any organization to assess security risks.
By following voluntary NIST compliance guidelines, organizations can ensure compliance with FISMA regulations as well as contribute to Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA) mandates. NIST compliance can also help government contracts meet standards set up through the Defense Federal Acquisition Regulation Supplement (DFARS).
These guidelines represent best practices for security controls to safeguard and protect confidential information and data.
Who Needs To Meet NIST Compliance Standards?
While any business or organization will benefit from using the NIST compliance standards, organizations that do business with the government should adhere to the NIST compliance standards. Some of the organizations that will need to comply include:
- Government staffing firms
- Procurement services companies
- Manufacturers that sell to the government
- Manufacturers that sell to government suppliers
- Higher learning institutions, such as universities
- Research institutions
- Consulting companies
- Service providers
Why Is NIST Compliance Important?
The goal is to help organizations keep their data and information secure and safe. Implementing these best practices provides a host of benefits. In addition to meeting industry and governmental regulations, NIST standards help protect critical infrastructure from insider threats and attacks from outside.
It provides a framework for organizations to help IT teams to protect their networks from malware, ransomware, and other cyber attacks and threats.
For businesses that provide services to the federal government, NIST compliance can be used as a baseline for evaluating bids and contract awards. Companies that are non-compliant may lose the ability to do business with government agencies. Even after bids are awarded, agencies may conduct on-site evaluations to confirm compliance.
Contractors doing business with the Department of Defense, NASA, the Department of Transportation, the General Services Administration (GSA), and others are required to provide security that meets at least the minimum standards outlined in NIST Special Publication 800-171. That may not be enough, however. With recent news about increasing outside attacks on sensitive data and successful breaches, organizations may need to demonstrate they have security protocols and procedures that go above and beyond NIST standards.
NIST Compliance: Cybersecurity Framework (CSF)
One of the most widely used NIST standards is the Cybersecurity Framework (CSF). CSF is used to evaluate security controls using five core areas for examination.
Cybersecurity Framework Core Areas
Within each of these five core areas within the Cybersecurity Framework, there are sub-sections that identify the key areas for assessment. Each of these sub-sections is then broken down further into standards, guidelines, and practices.
NIST standards cover a range of best practices. The CSF framework complies with federal and state government practices. Special Publication 800-171 applies to unclassified information for non-federal systems and organizations. There are literally hundreds of publications that cover specific standards in specific industries.
NIST Compliance: Federal Information Processing Standards (FIPS)
FIPS stands for Federal Information Processing Standards. These are used as guidelines for documents processing and handling. Government agencies, contractors, and vendors use these standards to manage data and encryption algorithms. FIPS is mandatory for government computers. Organizations that interact with data protected by these rules, such as contractors and subcontractors, must also ensure compliance with NIST standards.
NIST Compliance: Internal & External Audits
Internal audits are initiated by an organization’s staff to assess risk, compliance, and security. Managing NIST compliance can be complex. Internal audits should be conducted regularly to demonstrate a commitment to proactively protect data. External audits are formal compliance audits handled by third-party companies. These audits will check for compliance against specific federal, state, industry, and corporate rules and standards.
These audits help organizations identify weakness in data handling, security, and regulatory compliance. This can help reduce risk and avoid potential fines or legal issues for noncompliance. In addition, it’s a tool to make sure business maintains the strict protocols necessary to protect assets.
NIST Compliance: Certification
There is no official NIST certification program available through the government. With the vast amount of data and companies that are part of the entire supply chain for the government, it would be almost impossible to certify supply chain. As such, vendors are expected to self-certify their company is meeting NIST standards.
The risks of non-compliance are high. You may not be able to do business with the government and other organizations connected to the government. If you self-certify you are compliant, but you fail to take the necessary steps to maintain compliance, you could be looking at fines. In worst case scenarios, you could face fraud charges for failure to maintain standards required as part of a contract. This can lead to a breach of contract lawsuit or even criminal charges.
If you are a subcontractor working on government projects through a prime contractor, you can also be at risk. The primary contractor has to self-certify its entire supply chain, including subcontractors, are compliant. Subcontractors that don’t meet NIST compliance standards will be excluded from projects or removed from the list of approved vendors.
NIST Compliance: Action Steps
Contractors and subcontractors will benefit from taking specific steps to comply with NIST. Anyone that interacts with controlled unclassified data (CUI) must implement and verify compliance. It can get complicated very quickly as you may be responsible for verifying your own compliance as well as any other organizations you share CUI with, such as subcontractors. When you work with the federal government, you have to certify your entire supply chain.
1. Locate and Isolate
The first step is to locate and categorize all systems that contain any of the protected data. Data covered by NIST compliance should be separated from other proprietary data. When it comes to an audit, this will simplify the process.
2. Establish Controls & Authentication
Controls should limit access to protected data to only authorized individuals. Regular reviews should be done to affirm compliance. Procedures should be established to handle new employees, assignment changes, and termination of employees.
3. Encryption Controls & Data Handling
All data should be encrypted whether it is in the system or being transmitted. Policies should be implemented to identify how data can be transmitted. This is especially important when using mobile devices. There should also be policies put in place that cover employee use of personal devices.
4. Monitoring & Stamping
Data needs to be monitored and access needs to be stamped so that any interaction can be traced to unique users. This allows a layer of data protection to quickly identify breaches or problems and hold individuals accountable.
5. On-Going Awareness Training
Employees need to understand the governance and best practices. Training should happen at the onboarding process and at regular intervals.
Employees should know what they can and cannot do when working with protected data. They should also be trained to recognize security threats from both internal and external sources.
6. Audit, Assessment, And Evaluation
Regular security assessments should be conducted that can examine and evaluate systems, data handling procedures, monitoring, and training to assess risk. A Gap Assessment needs to be conducted to provide you an honest appraisal of where you are falling short. Remedial steps need to be taken once lapses have been identified. Each instance should be documented to show pro-active steps for compliance.
7. System Integrity
You will need to identify and monitor access points to company systems to continually assess system integrity. Are there controls in place that prevent bad actors from accessing data and systems?
When an incident occurs, you need to make sure that you can quickly identify threats.
8. Incident Response
What happens when there has been an incident, such as a breach or lapse. There should be policies and procedures in force that spell out the steps to take, including notifications and remedial actions as outlined in NIST SP 800-61 and SP 800-184.
NIST Compliance: Checklists
NIST publishes a National Checklist Repository. It is available to the public and contains specific checklists for various industries, products, and categories. It provides further information for operational environments which can be customized to your specific application.
NIST Compliance Is Critical But Complex
Making sure you are in compliance with every standard covered by NIST, in addition to all the other federal and state regulations in your industry, is complex and can be confusing. Just last fall an endeavor started to create a new NIST Privacy Framework which will surely increase the complexity. Expert guidance can help you navigate these growing and complex regulations, and help assure your business is compliant.