What are my NIST 800-171 Outsourcing Options?

NIST 800-171 compliance is still a relatively new topic. Contractors are hustling to learn all they can about these cyber security requirements before the December deadline. Inevitably, folks start to ask if there are any NIST 800-171 outsourcing options.

What aspect of NIST 800-171 are you trying to outsource?

You’re probably looking to outsource one of two things: either a NIST 800-171 assessment or one of the NIST 800-171 requirements. We’ll talk about NIST 800-171 outsourcing for assessments in a future post. This article will focus on offloading some of the requirements to third-parties.

What does the NIST 800-171 SP say about outsourcing?

This is really the only thing that matters. DFARS 252.204-7012 says we have to comply with NIST 800-171, and NIST 800-171 has specific verbiage that deals with outsourcing requirements.

          NIST 800-171 – Section 2.1 Basic Assumptions

Additional assumptions also impacting the development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include: […] Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements;

This single statement suggests that it’s totally acceptable to leverage third-party vendors to meet the compliance requirements. This is great news if you’re not quite compliant with one or more of the controls.

Outsourcing Examples

What are some examples of controls you can outsource? Many of the requirements “feel” like something you can pay someone to do.

• 3.1.14 Route remote access via managed access control points. google: managed vpn services
• 3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat. google: security awareness training services
• 3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. google: incident handling services

The list goes on… If you find a deficiency within your organization, consider the costs of implementing an in-house solution vs. an outsourced service. You may find it’s quicker to pay someone to solve the problem for you. ComplyUp offers a comprehensive NIST 800-171 Self-Assessment Platform, complete with easy to understand explanations of each control.