When NIST 800-171 (Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations) was released in December 2016, it was relatively limiting (applying to a specific class of data called CUI). However, the security controls that are included (derived from NIST 800-53) are relevant to every organization and a great foundation to develop a cyber security standard.
Initially, vendors were allowed/expected to self-certify their organization’s adherence to the standard. It’s been an open secret that the government would only accept vendor’s self-certification for a limited time. Beginning September 2020 (just 1 year from now!), there will be 3rd party assessors to validate how well companies are protecting their information assets.
Are you ready? If not, Aronson LLC would be happy to advise and guide you on your security journey. Feel free to message me directly and I’ll get you connected.
FYI – Just because you don’t have any DOD contracts doesn’t mean you may not be affected. Government contractors will have to pass on these requirements to their suppliers and vendors that manage or store sensitive and critical systems and data (think cloud providers, SaaS applications, etc). Be prepared!
For more details, check out this blog post!
cyber #cybersecurity #NIST
