New guidelines governing the transmission, storage and use of protected data create compliance challenges for companies and contractors looking to do business with federal and state agencies.
Companies wanting to continue to do business with certain federal departments and agencies have just a few months to ensure that their cybersecurity protocols are up to par.
That’s because of the December 31st deadline for companies to demonstrate compliance with new guidelines prepared by the National Institute of Standards and Technology (NIST). The NIST is a non-regulatory federal agency that focuses on driving innovation and economic competitiveness for U.S.-based companies in science and technology industries.
The NIST establishes technologies, standards, and metrics that allow federal agencies to comply with guidelines that protect information systems and data. It establishes the standards that federal agencies need to follow for security controls for information systems.
Specifically, the NIST guidelines require contractors, businesses or individuals that work with or for federal or state agencies to have documented system controls in place for dealing with controlled unclassified information (CUI). Federal agencies often share this type of information with business partners and collaborators and the new guidelines are intended to keep that data safeguarded.
The guidelines require those working with federal agencies to demonstrate compliance with 14 different categories of process and control.
Within those 14 broad categories are more than 100 specific controls that must be documented and in place by the end of 2017.
For any company that processes, stores or transmits the potentially sensitive information governed by the NIST guidelines, the risks of non-compliance are significant. Federal and state agencies can sever contracts with non-compliant partners. Companies wanting to establish compliance need to act quickly to meet the federal deadline.
Companies need to ask more questions, including:
While all the NIST compliance elements are critical, there are some that are more challenging for many companies. Here’s a closer look at three of the most complicated aspects of the guidelines.
Encryption. Encryption comes to play in two of the 14 categories: Access Control and Identification and Authentication.
Under Access Control, the guidelines state that wireless access to systems needs to be protected using encryption methods. In addition, any data used or stored on mobile devices must also be encrypted. An Identification and Authentication guideline calls for the storage and transmission of passwords must also be encrypted.
Companies will need to use validated cryptography tools. Their system designs may be flawed, requiring third-party assistance to ensure proper encryption procedures.
Incident Response and Reporting. In addition to the operational procedures detailed above, the NIST guidelines require companies to track, document and report incidents to the proper authorities or authorized personnel both within and external to the organization. Testing must also be done regularly to ensure compliance with the defined guidelines.
For example, Department of Defense guidelines covers even a potential compromise. Within 72 hours of a potential issue being identified, a contractor must review evidence and report on the findings of that review to the agency. These mandates mean that companies need to have a well-defined plan and response team ready to activate and execute promptly.
Continuous Monitoring. While continuous monitoring is not one of the 14 broad categories, there are 10 different controls that require ongoing monitoring and investigation. This area shows up in remote access sessions, user-installed software, physical location and infrastructure, visitor activity, use of mobile code, voice over internet protocol (VoIP) tools, and inbound and outbound communication traffic.
The volume of required monitoring can trip up companies seeking compliance, driving some organizations to outsource the monitoring required by the NIST guidelines.
Companies that want to maintain good working relationships with agencies will need some assistance to ensure compliance prior to the December 31st deadline and on an ongoing basis. Without documentation and procedures in place, companies that rely on work with key agencies will find themselves on the outside looking in.