Today, cybersecurity threats, incidents, and breaches are prevalent in organizations of all sizes and industries, especially during this COVID-19 era. Frequent public announcements of data breaches are distributed by hospitals, financial institutions, retail stores, and a variety of businesses informing consumers almost daily. In this fast-moving agile environment even, the federal government relies on external service providers to carry out business functions with entities such as State and local governments, colleges and universities, and independent research organizations. Entities routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies.
Mission Critical Products and Services
The U.S. Department of Commerce National Institute of Standards and Technology (NIST) states that organizations participate in an array of activities (e.g., provide credit card and other financial services; provide Web and electronic mail services; conduct background investigations for security clearances; process healthcare data; provide cloud services; and develop communications, satellite, and weapons systems). The services provided to the federal government usually contain sensitive information. The term used to categorize transfer, dissemination, and storage of this type of data is Controlled Unclassified Information (CUI).
Starting a Cybersecurity Management Program
Entities with limited internal resources, accelerated digital transformation projects, and heavy reliance on Third Parties for services has intensified the need to protect non-federal and federal Controlled Unclassified Information (CUI). A review of the NIST 800-171 Revision 2 framework titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is the first step in the process. Establishing a comprehensive cybersecurity management program that includes the 13 Security Requirement Families illustrated below is crucial to every organization.
|NIST Security Requirement Families|
|Awareness and Training|
|Audit and Accountability|
|Identification and Authentication|
|System and Communications Protection|
|System and Information Integrity|
Who Needs to Know?
According to the NIST, the publication of the framework serves the following diverse group of individuals and organizations in both public and private sectors.
|Responsibility Focus Areas||Titles|
|System development life cycle responsibilities||Program Managers, Mission/Business Owners, Information Owners/Stewards, System Designers and Developers, System/Security Engineers, Systems Integrators|
|Acquisition or procurement responsibilities||Contracting Officers|
|System, security, or risk management and oversight responsibilities||Authorizing Officials, Chief Information Officers, Chief Information Security Officers, System Owners, Information Security Managers|
|Security assessment and monitoring responsibilities||Auditors, System Evaluators, Assessors, Independent Verifiers/Validators, Analysts|
What are the next steps?
Consulting with an advisory firm or consultant specializing in cybersecurity risk management is key to navigating the compliance landscape. Upon exploring the complexities of the NIST 800-171 model stakeholders will discover that there are a lot of moving parts to implementing a successful program. Documenting findings on Excel spreadsheets may be the norm for some organizations, however, a review of the numerous questions, countless tasks, and remediation efforts (if applicable) required to maintain compliance can be overwhelming. An integrated risk management platform encompassing data protection standards and regulations is highly recommended. A recent demonstration of the VigiOne solution by VigiTrust (an information security services company), illustrated superb compliance functionality in one program. The platform is embedded with project management features, scanning, tracking, reporting, eLearning, monitoring, planning, and document uploading capabilities. Organizations with limited cybersecurity human resources would greatly benefit from the VigiOne tool.