The DoD has published a guideline that describe how a smaller company can proceed with implementing the daunting NIST SP-800-171 cybersecurity requirements. These guidelines can be found in the Government’s CUI FAQ. Their guidance says:

NIST SP 800-171 was written using performance-based requirements, with the intent to not require the development or acquisition of new systems to process, store, or transmit CUI, but enable contractors to comply using systems and practices they already have in place. It eliminates unnecessary specificity and includes only those security requirements necessary to provide adequate protection for the impact level of CUI (e.g., covered defense information).

Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely, while others require security-related software (such as anti-virus) or additional hardware (e.g., firewall).

For companies that were compliant with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause with the table of NIST SP 800-53 controls, almost all the additional NIST SP 800-171 requirements can be accomplished by policy/process changes or adjusting the configuration of existing IT. With the exception of the multifactor authentication requirement (3.5.3), no additional software or hardware is typically required.

For companies new to the requirements, a reasonable approach would be to:

• Examine each of the requirements to determine

• Policy or process requirements

• Policy/process requirements that require an implementation in IT (typically by either configuring the IT in a certain way or through use of specific software)

• IT configuration requirements

• Any additional software required

• Any additional hardware required.

• If unsure of what a requirement means, companies should refer to the mapping table in Appendix D to NIST SP 800-171, identify the corresponding NIST SP 800-53 control, and consult the Supplemental Guidance related to that control in NIST SP 800-53 [Note: not all aspects of a NIST SP 800-53 control requirement may have been included in NIST SP 800-171 requirement, so not all of the Supplemental Guidance may apply].

• Typically, most requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy.

• Note that when the term “control” or “manage” is used, it does not necessarily imply a technical implementation – often a process or policy (with an ability to check periodically to insure the policy/process is being followed) is sufficient.

• The complexity of the company IT system may determine whether additional software or tools are required. Small systems can manually accomplish many requirements, such as configuration management or patch management, while more complex systems may require automated software tools to perform the same task.

• Based on the above, determine which of the requirements can be readily accomplished by in-house IT personnel and which require additional research in order to be accomplished by company personnel or may require outside assistance.

• Develop a plan of action and mile stones to implement the requirements.

This guidance may be helpful, but it is very general. For more specific implementation guidance and a link to the CUI FAQ, go to: http://nist-sp-800-171.com