The National Institute of Standards and Technology rolled out its NIST 800-171 cybersecurity standard at the end of 2017, but compliance has continued to prove challenging, especially for small- to mid-sized companies.
The standard is designed to protect controlled, unclassified information in non-federal information systems and organizations.
The Department of Defense became involved in response to data theft within the supply chain. In June, it was revealed that Chinese government hackers had stolen highly sensitive data related to submarines and undersea warfare. China also has stolen and replicated designs for F-22 and F-35 fighter jets.
Prime contractors awarded DOD contracts are required to put into their contracts that their suppliers must comply with NIST 800-171, and that responsibility trickles down to their suppliers across all tiers. The DOD will continue to step up demand around compliance, says Wil Cox, an account executive for the Wisconsin Manufacturing Extension Partnership.
Complying, though, has proved cumbersome for many companies. There’s an “element of shock” for businesses when they begin to digest the standard’s requirements, Cox says. It includes 110 elements that break down into more subsets of question and 14 areas of focus.
Companies, for now, don’t need to have all 110 elements fixed or working, Cox says. They just need to have a plan to address issues and work toward coming into compliance. He compares it to a dam with leaks in which you want to fix the large holes and make the drips and trickles a smaller priority.
The WMEP is well-positioned to help. Cox serves on the NIST MEP steering committee, and the MEP reports to and is funded by NIST. Cox encourages more organizations to use WMEP’s cybersecurity services. The organization helps guide companies toward compliance and conduct gap analyses as well as connecting them to third-party companies that can help them come into compliance.
“We’re here. We’re funded to make the compliance easier, to provide resources that have been fully vetted,” he says.