Dozens of NH firms missed security compliance deadlineBy RYAN BARTON
January 07. 2018 2:05AM
Dozens of New Hampshire companies that manufacture components for the U.S. government or government contractors missed the first deadline in a new series of requirements for handling sensitive data.
Whether contract details or schematics for a new fighter jet radar component, the government doesn't want its data in the wrong hands, so it issued a series of information security standards to all its downstream vendors - and their vendors' vendors - were required to begin following by Dec. 31.
Why new standards?
New Hampshire is awash with small and medium-sized manufacturers with outdated security policies that run on older technology that are not compliant with the new requirements. NIST 171 has 110 specific controls around policies, cybersecurity, training and technical specifications, so it is a tremendous amount of work for companies to implement these specific security measures around protecting data, wherever it lives.
Cybersecurity standards were first required for Defense Department subcontractors in 2013 through the Defense Federal Acquisition Regulation System (or DFARS) in 2015. NIST SP 800-171 (referred to as "NIST 171") was chosen as the specific set of requirements. This special publication released by the National Institute of Standards and Technology (NIST) was designed for small and large companies that deal with what's called "Controlled Unclassified Information" (CUI). DFARS set the Dec. 31 compliance requirement nearly three years ago.
Compliance and minimum requirements
DFARS contracts don't specify what happens to companies that aren't fully in compliance. Each noncompliant company is supposed to notify the Defense Department compliance personnel and receive permission, but many won't. It's easy to project that eventually audits and proof of compliance will follow, with contractual penalties or default for those out of compliance.
What may happen sooner is that the large manufacturing companies (with large government contracts, known as "Primes") will enforce proof of compliance and security audits on their downstream vendors in order to ensure their own compliance. If nothing else, noncompliant organizations are unlikely to win new business.
Some compare this rollout to the requirement for ISO9001 in the industry that began many years ago - it took several years for those requirements to be enforced. However, ISO9001 wasn't a requirement from the Defense Department, and there was a clear certifying body to make compliance clear - which there isn't for NIST 171.
It is not too late
NIST has released guidance that the minimum requirement is having completed an initial assessment and a documented plan of action and milestones so not everything had to be completed by Dec. 31, but it's critical to have performed an initial assessment, have a plan and be making significant progress toward full compliance.
Companies that haven't started the process of implementing controls from NSIT 171 should immediately find a partner with a comprehensive understanding of NIST 171 and the technical and policy writing experience required. Or, they should assign someone with technical expertise to read the special publication and associated NIST documents for each of the 110 controls, create a strategy, and document the company's progress toward compliance.
While the consequences for missing deadlines is vague now, soon tolerance for not protecting CUI data will run out. That was the message to an at-capacity crowd of manufacturing industry companies at a recent seminar Mainstay held in partnership with the New Hampshire Manufacturing Extension Partnership and New Hampshire Business and Industry Association.
And this is true for all industries: To do business today, you should have an information security program to protect yourself and your clients. To do business tomorrow, that information security program is going to be mandatory for nearly all industries, just as it is now for contractors in the DoD supply chain.
Creative approaches to compliance
The path to NIST 800-171 compliance can vary by company, and the right information security partner should be able to explore creative and strategic options that meet new requirements. The ultimate goal is to protect information and avoid a breach. Doing so provides valuable risk mitigation and a path to implementing wise strategies that genuinely protect data and reduce risk to companies.
This is a new cost of business that everyone should take on because of the state of cybersecurity today. It's absolutely possible to make these technical requirements easier when you're working with the right partner who can find a balance of compliance and cost efficiency.
To learn more about compliance requirements pertaining to NIST 800-171, DFARS 252.204-7012, or other industry-standard information security programs, contact Mainstay Technologies via mstech.com or 603-524-4774.
Ryan Barton is CEO of Mainstay Technologies, a company founded in 2004 that provides information technology and information security services. Mainstay has offices in Manchester and Belmont and more than 40 strategists, technologists, and information security professionals. Learn more at mstech.com.