Because the US federal government is now outsourcing service providers to assist in carrying out a wide range of federal projects and business activities, using the federal government’s information system, and due to the sensitive information being used in the projects, the Department of Defense is now requiring service provider operators, contractors and subcontractors, dealing with Covered Defense Information (CDI) to take protective and preventive measures on their cyber security, such that the Defense Department requires that outsourced operators be NIST Special Publication 800-171 compliant as early or before December 31, 2017.
NIST Special Publication 800-171 is an outlined general procedure and information that delineates how information systems and policies are to be set-up and complied by service operators to protect government information, particularly called Controlled Unclassified Information (CUI), which can directly affect the normal activities of the federal government to successfully deliver its operations. These outsource service providers are hired to perform many routine works, such as the processing, storing and transmitting of federal information in their information computer system, delivering these data information (for example, providing credit card and financial services, providing Web and electronic mail services, conducting background investigations for security clearances, processing healthcare, providing cloud services, developing communications satellite and weapons systems) to federal agencies and, therefore, it is of paramount importance that a system be adopted to protect the sensitivity of this form of work by way of requiring all outsourced service providers to be compliant to NIST Special Publication 800-171.
If you are one of these hired contractors, you need to comply with the requirement or else you lose your precious contract, thus, here are suggested steps that can be taken to start in the compliance procedure: perform a gap analysis and establish an incident response plan.
The gap analysis is a security analysis which you need to work through all of the controls based on the NIST Special Publication 800-171 and check where your project and performance is compliant and where you have to put work on areas that need to comply and which involves discussing this with your staff, investigating on your network maps and configurations and comparing and checking with the compliance checklist, especially in the processing of Controlled Unclassified Information and other vital information specifically mentioned by NIST Special Publication 800-171. When you have gotten the results of your gap analysis, it is suggested that a two factor authentication be added into your processing system to ensure that there are no shared passwords and come up with an incident response plan which requires for a well-explained plan on what to do during a cyber intrusion or attack or when there is an insider investigation.