BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
One issue that is top of mind for manufacturers, especially ones that have contracts with government agencies or are subcontractors with suppliers to the government, is being compliant with NIST 800-171 standards.
NIST, the National Institute of Standards and Technology, published new standards last year specific to manufacturers along the supply chain of certain government agencies, most notably the Department of Defense, the General Services Administration and NASA. NIST 800-171 puts a set of standards on these manufacturers to force them to get serious about their cybersecurity and bring them up to speed with some of the common standards of today.
This affects manufacturers that have direct or indirect contracts with the certain agencies. Companies like Pratt & Whitney or United Technologies, which are large suppliers for the Defense Department, are obviously affected. But it also trickles down the subcontractors that supply the big companies with any parts, big or small — even as small as control boards or pieces of software.
The deadline to be NIST 800-171-compliant was Dec. 31 of last year, but I have still received some questions in the past few months regarding the new standards. This blog will hopefully help you learn some of the basics and what to do to take action.
What is NIST 800-171, and why was it implemented?
NIST 800-171 applies to any manufacturer that works with controlled unclassified information (CUI) or covered defensive information (CDI).
The terms are similar — they apply differently to information within certain government agencies. They pertain to information that is unclassified but is still sensitive to the United States government, meaning they need proper safeguards and barriers in place to prevent and control dissemination of the information. NIST 800-171 is a framework that specifies how manufacturers need to set up their information systems and policies in order to ensure protection of that information.
Data breaches and vulnerabilities make headlines almost every month in every industry. And in the manufacturing world, different manufacturers in differing industries have varying sets of regulations to adhere to. That obviously posed an issue for those within the government supply chain — hence the new NIST standards.
NIST 800-171 is simply standardizing all manufacturers along the government supply chain to ensure quality cybersecurity. It’s not only holding the suppliers accountable, but also the suppliers to the suppliers accountable.
Meeting these standards is critical. Failure to meet these guidelines could mean the loss of a contract and business relationships.
What do I need to do?
It’s not dissimilar to any other industry or compliance standard. If you are entering or already in the space that is regulated by the new NIST 800-171 guidelines, the first thing you need to do is a risk assessment of your entire business.
Information technology can get overlooked with manufacturers who are sensitive to costs in every aspect of their business. Production and safety may get more attention, but when it comes to these new information regulations and guidelines, that can cause a problem, since security may lag behind.
Part of a risk assessment is finding the places where your business is compliant and where it needs work.
Make sure to go through your business and find places where sensitive information is stored, whether that be through the automated machines producing the equipment, smart devices or anything else connected to the Internet of Things. Talk to your employees, look over network maps and go over the compliance standards line by line.
The next step is to put up safeguards for that sensitive information if you haven’t already, then control access to this information and train employees on how to handle the sensitive information.
Training employees can be as easy as offering small, 10- to 15-minute classes about the variety of topics around cybersecurity, whether that be how to handle sensitive information or education on ransomware.
If you have a third party handling your data, you need to understand your role in determining how you protect your business and information assets. As I’ve talked about in some of my previous blogs, sitting down with your vendor or service provider is key to understanding where the line of responsibility falls in compliance.
Third-party vendors can help you be compliant, but there may need to be work done on your end.
The new NIST 800-171 standards have a lot of small to midsized manufacturers wondering where they fall, but, like always, communication with your data vendors will help your business stay compliant now and on top of any future changes.