February 2, 2022

Last Updated on June 19, 2024

Whatever your company does, it’s likely that your customers include US federal government entities, businesses that serve the USG, and/or firms in designated “critical infrastructure” sectors like healthcare, financial services, information technology, manufacturing or food & agriculture. All these organizations—and thus potentially yours as well—will be mandated in the “not-too-distant future” to protect controlled unclassified information (CUI) in compliance with the NIST SP 800-171 cybersecurity standard, which specifies controls to protect CUI.

What is the optimal path for your business to incorporate NIST 800-171 compliance into its current information security program? Especially if you’ve already attained or are pursuing ISO 27001 certification or a SOC 2 based program?

John Verry, Pivot Point Security CISO and Managing Partner, discusses this “NIST versus ISO” issue on a recent “special briefing” episode of The Virtual CISO Podcast. This concern is rapidly becoming relevant for more and more companies both within and outside the government sector.

Response #1: Start paying attention

John emphasizes that NIST 800-171 compliance is “a when, not an if” for a significant percentage of American companies. With that in mind, a first step is to start paying close attention to what the US government is doing around cybersecurity. What’s happening with CMMC V2? What are the latest directives from CISA? What are clients and prospects emphasizing in security questionnaires, RFPs or contracts that pertains to CUI or NIST 800-171?

Getting a grip on this kind of information will give you a head start on NIST 800-171 compliance. As John says, “Nothing moves fast in information security.” Depending on your current cybersecurity posture, achieving demonstrable NIST 800-171 compliance could take 9 to 12 months. You’ll want to know well in advance when you need to get there, so you don’t miss a chance to bid on a contract or risk losing current business.

Response #2: Get educated

What types of CUI are you processing? How do your current security controls compare with the NIST 800-171 control set? These are critical questions your stakeholders will likely ask, and which you’ll need for planning purposes, which will take a bit of research to answer.

John explicitly calls out FAR 52.204-21, Basic Safeguarding of Covered Contractor Information System. This ubiquitous FAR clause covers the 15 basic cybersecurity requirements deemed necessary to protect Federal Contract Information (FCI). This requirement “flows down” similarly to NIST 800-171 compliance, but it is both far easier to meet and far more problematic if you can’t clear this lowest security hurdle.

“If you’re not able to achieve conformance with those 15 basic cybersecurity requirements, there’s going to be a problem,” John warns. “And I would try to get you there fast. Why? Because: a) You don’t want to lose out on something; and b) If you don’t have these controls in place, you’re probably less secure than you should be, and you’re at greater risk than you’d probably like to be.”

Response #3: Start building NIST 800-171 into your information security program ASAP

Trusted, “gold standard” cybersecurity frameworks like ISO 27001 and SOC 2 aren’t “going away” because of the government’s focus on NIST 800-171 compliance and protecting CUI. Especially for firms that already have (or are moving towards) ISO 27001 certification or a SOC 2 report, your view should be on how best to “blend” NIST 800-171 compliance into your ISO 27001 information security management system (ISMS) or SOC 2 program, given the considerable overlap between them.

John outlines several possible approaches, from simply cross-referencing controls to taking NIST 800-171 into your ISMS, to leveraging NIST 800-171 as your underlying information security framework within ISO 27001. (Yes, ISO 27001 really is that flexible.)

Response #4: Keep privacy on the radar as well

Is any of the data that you’re currently processing defined as “personal information” by far-reaching privacy legislation like Europe’s GDPR, the California Consumer Privacy Act (CCPA) or the NIST Privacy Framework? Privacy represents another exploding area where companies will need to address questionnaires and other stakeholder concerns to keep current clients and go after new business, as well as comply with regulations.

“When someone asks if you have a CCPA-conforming privacy program, you’re going to want to be able to answer with a resounding ‘Yes,’” says John.

What’s Next?

A requirement for NIST 800-171 compliance is coming soon for many businesses. Don’t wait until you’re behind the eight-ball to get started planning, preparing and moving forward in alignment with your overall business strategy.

To listen to this special 20-minute podcast briefing with John Verry on “NIST versus ISO” all the way through, click here: LINK

To connect with an expert on how best to align NIST 800-171 with your current security program, contact Pivot Point Security.