February 2, 2022

Last Updated on June 27, 2024

More and more organizations are concerned about new cybersecurity guidance and accelerating compliance timeframes being put forth by the US government, especially around the NIST SP 800-171 standard. If your company already has an ISO 27001 certification or SOC 2 based program, or is pursuing one, what is the best way to understand and address the government’s evolving direction?

In a recent “solo” episode of The Virtual CISO Podcast, host John Verry addresses this “NIST versus ISO” question because of its increasing relevance to more and more Pivot Point Security clients.

To understand where the US government is coming from today, it’s important to know some back story about how the current situation evolved, why the cadence of change is accelerating—and why the government’s new requirements are going to impact a huge percentage of companies out there, whether you do business directly with government entities or not.

Timeline of US government cybersecurity guidance

Here are some of the noteworthy US government rulings in recent years that have direct implications for today’s federal regulatory climate:

  • In November 2010, Executive Order (EO) 13556 established Controlled Unclassified Information (CUI) as a category of information. The goal was to rationalize 100-plus government classifications of similar data, which was making it a challenge to communicate across government branches and with private sector partners. CUI is often associated with the defense supply chain, but it goes far beyond that. The CUI Registry is maintained by the National Archives and Records Administration (NARA). At a minimum, check out the high-level CUI categories to see what types of CUI your business may be processing (e.g., mergers, net worth or retirement data, legal data, patent applications, personnel or student records, health information, and much more).
  • In 2014, President Obama introduced the NIST Cybersecurity Framework. This established a standard for managing information-related risk for critical infrastructure entities, and has been “moderately adopted,” according to John.
  • In December 2016 the NIST SP 800-171 framework that is so important currently was originally introduced. Its purpose is to define the control set that organizations should implement to protected CUI. The US Department of Defense (DoD) quickly began mandating NIST 800-171 compliance extensively as a contract requirement, because of the severity of data exfiltration across the defense supply chain. But the self-attestation program that the DoD put in place at that time proved to be of little value in protecting CUI.
  • In June 2019, the Defense Contract Management Agency (DCMA), which handles something like $8 trillion in contracts, launched the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to up the ante on NIST 800-171 compliance and protecting CUI by performing third-party audits to validate self-assessments.
  • To create a more scalable model for third-party assessments across the 350,000-plus entities in the US defense industrial base (DIB), version 1 of the Cybersecurity Maturity Model Certification (CMMC) program was launched in January 2020. CMMC proposed authorizing non-government auditors to perform audits on DIB orgs, against a modified version of NIST 800-171, to better secure CUI.
  • In May 2021, in the wake of the SolarWinds attacks and other cyber bombshells, EO 14028 outlined the US government’s future direction for cybersecurity, including Zero Trust architecture, supply chain security, SaaS security, IoT device security and more. The “cybersecurity EO” also underscored the central role of the Cybersecurity and Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security, in enforcing compliance with US government cybersecurity legislation, in alignment with NIST as the agency the produces the relevant standards.
  • In December 2021, the DoD announced CMMC version 2, which significantly reconfigured the CMMC V1 approach based on extensive stakeholder feedback. Among the many changes, some DIB orgs will be exempt from third-party audits, and the rollout timeframe is potentially compressed from 5-plus years to 9 to 18 months—the time needed for CMMC rulemaking changes to Title 32 of the Code of Federal Regulations (CFR 32). Once those changes are in place, DoD or other USG entities could begin requiring CMMC compliance for any and all contracts involving CUI.
  • Coming out on or about January 2022 will be the NIST Secure Software Development framework, which is a direct response to direction in EO 14028 on software security. If you’re in the SaaS space or developing software that will be used by and/or downstream from the government, you should start preparing now for compliance.

Why you should care about USG cyber guidance if you don’t have USG clients

As noted above, John calls out the prominent role of CISA and its enforcement of NIST 800-171 compliance for “critical infrastructure” organizations, which include some industries you might not expect, like healthcare, financial services, and information technology. If you serve any of the 18 critical infrastructure sectors, you’ll likely need to demonstrate NIST 800-171 compliance fairly soon as part of your customers’ “flowdown” requirements from the USG to their suppliers.

John also points out how CUI encompasses far more than defense information, and that mandates to protect CUI via NIST 800-171 are surely coming from other sectors for similar reasons.

What’s Next?

Now is the time to become familiar with recent USG guidance and how it will impact your business, especially around NIST 800-171 compliance. If you wait, you could lose out on opportunities or even risk losing customers. As John explains on this show, there are multiple approaches to achieving NIST 800-171 compliance quickly and efficiently in line with ISO 27001 certification or a SOC 2 cybersecurity program.

To listen to this special podcast episode with John Verry on “NIST versus ISO,” click here: LINK

To speak with an expert on how to bring your current security program in line with NIST 800-171, contact Pivot Point Security.