There are endless pages on the Internet trying to explain who is impacted by this. Here is the BLUF (Bottom Line Up Front): If you hold for business purposes electronic copies of ANY data that is the property of, or will become the property of the U.S. federal government, and copies of this data are not expressly identified as public, then NIST 800-171 applies to you. This includes proposals. If copies of the federal government data you are holding cannot be readily found on a government website, then it is almost certainly CUI (Controlled Unclassified Information), and must be protected in accordance with NIST 800-171.
What is NIST 800-171?
NIST 800 is a cyber security framework with 14 basic high level cyber security requirements (look at chapter three). If you are starting from scratch, most companies will need 6-8 months to become compliant. The standard can be viewed in its entirety here:
When does this happen?
Every federal government contractor or subcontractor is expected to comply with NIST 800-171 by December 31st, 2017. As of this writing, that is about 13weeks away. If you have not started on your compliance efforts, do not wait any longer. One caveat here – it is understood that not every business will be able to fully comply with all 14 sections of NIST by the end of this year. In that event, you need to write a POA&M (Plan of Action and Milestones), showing a progressive plan to become compliant.
Why is this necessary?
From a security standpoint, computer networks fall into two categories:
- Those that have been breached already.
- Those that will get breached in the future.
Not only is becoming NIST 800-171 compliant mandated by law, doing so will also go a long way toward reducing your business risks. The NIST standards are very highly regarded in the cyber security community.