With the approaching deadline, many DoD contractors are still implementing NIST SP 800-171 in order to control their Controlled Unclassified Information (CUI). While implementing something like this, it is easy to become inappropriately focused on conformance to the requirements, while missing the opportunity to make a true improvement in security. The requirement 3.12.2, if implemented to the spirit of the requirement, goes to the heart of achieving and maintaining real security. If this is simply viewed as a check-box item, then the real benefit can be missed entirely.

The route to having security that keeps up with a rapidly changing threat landscape is to truly embrace the spirit of NIST SP 800-171 requirement 3.12.2. That requirement says “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.” Found in this requirement are the seeds of a continually improving system.

The requirement describes two modes of the creation of change within your organization. The first mode is reactive (“correct deficiencies”), while the second is to be preventive (“reduce or eliminate vulnerabilities”).

The reactive actions occur when something makes them happen. Whether this indication is from periodic vulnerability scanning or from an incident, these vulnerabilities have raised their ugly head and demanded that they be addressed. Exactly how we respond to these occurrences is up to us. It is easy to simply apply a band-aid to the problem and to call it fixed, but a real solution that goes to the root cause of the problem will establish a higher level of security.

On the other hand, the efforts toward preventive actions are to seek and find other things that will make a positive difference to the security of your organization. While these are things might not show up in a vulnerability scan, they can still cause a significant improvement to overall security. These improvement efforts might include things like:

• Broaden the scope or improve the effectiveness of user security training.

• Take steps that make it easier for users to use secure practices

• Increase the scope of systems contained within disaster recovery systems

• Add additional layers of security to your most valuable digital resources

• Add redundancy to critical systems

Most any security professional that is intimate with a system will know some improvements that can be made. The challenge is to identify these potential improvements, prioritize them, then dedicate resources to their realization.

The NIST requirement says that you should, “Develop and implement plans of action designed to...” address these reactive and preventive improvements. Those plans should be written and in a level of detail that is appropriate for the project and the organization. Any plan should include guidance about how the project will be evaluated upon implementation. It is important to simultaneously verify that the implementation has produced the desired results and that it hasn’t broken something else.

When more people are encouraged to be involved in the process of continual improvement of security, then looking for opportunities to improve starts becoming automatic. Often it is the people that are in the trenches and working with the users that can see opportunities to make a real difference that cannot be seen from the corporate offices.

Keep in mind that these continual projects do not have to transform the organization or have huge price tags associated with them. In most organizations there are many improvement opportunities that can be implemented with speed and a minimal budget. Certainly there is a time and place for the big projects, but don’t assume that there is always a direct correlation between cost and degree of security improvement.

Through repeating the continual improvement process on an ongoing basis, it is possible to incubate a culture in which seeking improvement is an everyday activity. Through conduct of continual improvement exercises, the organization will achieve a higher level of security day-by-day.

For more information about NIST SP 800-171, go to http://nist-sp-800-171.com