The long awaited NIST 800-171 Revision 2 and 800-171B drafts were released for comment today. There have been no major changes to the controls in Revision 2. This is good news for many in the DIB who have been diligently working to implement and maintain the security requirements.
Of more interest is 171B enhanced security controls and the cost estimates provided for implementing the standard. You can find it here.
We highly recommend taking a look – many will laugh at how low the cost seems, and many will turn shades of gray at how much they might be expected to spend. Just remember “allowable cost” doesn’t mean “send the government your bills” by any stretch of the imagination.
In any case, 171B provides enhanced security controls that are in addition to 800-171 controls, in cases where the information held by the contractor is a significant target. If this applies to your company, you should start planning for three goals:
- (1) penetration resistant architecture;
- (2) damage limiting operations; and
- (3) designing for cyber resiliency and survivability.
These seem obvious, but the reality is that a resilient architecture is next-level security maturity. Quite simply, this translates to
- implement network access controls,
- know your normal to recognize abnormal,
- have a robust incident response capability
- and perform thorough risk assessments.
Continue to be diligent in your efforts to comply with 800-171. Regardless of everything else, if you have the DFARS 252.204-7012 clause in ANY of your contracts, you must meet the intent of that clause for incident response and security controls. That is a contractual requirement. For now, everything else is just talk.
While there will be changes and potentially new requirements under CMMC, we just don’t know what the framework will look like until it is released. For now, understand your risk when planning for future requirements. Nothing is set in stone until you have it in writing from your government customer.
Heather Engel is Chief Strategy Officer of Sera-Brynn. She has nineteen years of experience in cyber security, with an emphasis on cyber risk management including regulatory compliance, incident response, crisis communications, Continuity of Operations (COOP) planning, development and exercise execution; policy development, and computer network operations.
Sera-Brynn is internationally ranked as a top-tier cybersecurity firm. Sera-Brynn is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and a certified FedRAMP assessor. To speak to a team member, contact us at firstname.lastname@example.org or via www.sera-brynn.com.