NIST 800-171 Isn’t Just a Regulation, It’s Smart Business
Published:
Feb. 20th, 2019
Getting NIST 800-171 Compliant isn’t just about satisfying a regulation, it’s smart business. Hacks can come from anywhere and target anyone. Not only can your business get in hot water with the government for failing to be compliant, you could be in an even bigger mess if a hack is the result of negligence on your part.
Recent hacks of systems belonging to United States companies have been validation of the reasons behind the new cybersecurity rules that contractors must follow in order to do business with the United States Government. Foreign nation-states have been behind several large scale hacks and have managed to penetrate the systems belonging to several contractors. While the NIST standards and DFARS rules have been effective for some time, contractor information systems are still at risk of foreign penetration efforts.
Several high-profile intrusions and information thefts caused a change in the way that the government views its information and the contractors whose information systems house it. While the government must take pains to protect sensitive information, contractors were not subject to standards for their own systems, even though they could function in the same role as the government. This changed with NIST 800-171 which contained cybersecurity standards that contractors must follow. These are requirements for anyone hoping to obtain or keep a contract with the federal government.
Even with the new rules, problems still abound. Hackers from China have been active in trying to access contractor systems. In some instances, they have been effective. It has been reported that Chinese hackers have accessed the systems of numerous contractors who do business with the United States Navy. In addition, when the computers belonging to Marriott Starwood were breached, the hackers gained access to information about movements of United States Government personnel.
Even though there are new standards in place, the risk of cyber attacks has not gone away. If anything, hackers associated with nation-states are doubling their efforts to gain entry to sensitive information stored on contractor business systems. While the effective date of these standards has passed, there are still many issues because not every contractor is in full compliance yet. Further, every subcontractor must also comply with these rules. Oftentimes, these subcontractors are smaller entities that have trouble mustering resources to fully comply with these rules. Eventually, the contractors will be held responsible for the errors of their subcontractors because the onus is on them to make sure that they enter into subcontracts with those in compliance. In essence, hackers are doing what they can to test the systems of contractors, knowing that they may still not be fully compliant with new cybersecurity rules.
The threat and the intrusions are not limited just to Navy’s contractors. The Department of Defense has its own vulnerabilities that China and other nations are trying to exploit. Even information pertaining to ballistic missiles is at risk of being misappropriated by foreign entities.
To the extent that contractors can take steps to protect their information systems, they must do so. Not only do contractors have an obligation to the government with whom they transact, but taking vigorous steps to enhance cybersecurity is also a good business practice. Cyber breaches are both costly and embarrassing and many businesses have trouble surviving the hit to their reputation if their laxness leads to a large-scale theft of information from their systems. Compliance solutions can help companies take steps to shore up their systems.