Are You Ready for the NIST 800-171 Compliance Deadline?

BY Ben Ball

With only a few weeks until the December 31 deadline, are you scrambling to comply with NIST 800-171? Here's how DNS-based security can help. And if you’re doing business with the US government, the cybersecurity standards in NIST 800-53 and NIST 800-171 are crucial.

Derived from mandates in the Federal Information Security Modernization Act (FISMA), NIST 800-53 is a roadmap of cybersecurity best practices. The 500-page document covers everything from network settings to physical access to organizational procedures, all with an eye toward tightening up the entry points commonly used by bad actors.

Now, NIST 800-53 was originally designed for Federal agencies, so why should businesses care?

In a word: Leverage. The government has a keen interest in advancing cybersecurity and resilience across the US economy. Instead of imposing cybersecurity standards through regulation, the government is compelling the industry into acting on its own.

As a first step, the National Institute of Standards and Technology adapted NIST 800-53 into a parallel industry-facing document, NIST 800-171. The Department of Defense, GSA, and NASA have now changed their 2015 contracting rules to require that all businesses with access to government information are compliant with NIST 800-171 in order to do business with the government. This includes all direct contracts and subcontractors, which is a significant swath of the US economy.

The deadline for all Federal contractors to be compliant is December 31, 2017, or they risk losing their contracts.  Non-compliance must be reported to the agency CIO, who will object to any contract which fails to comply with the standard. This is only the beginning, as other Federal agencies are likely to require compliance with NIST 800-171 in the future.

There is no silver bullet for NIST 800-171 compliance. Its scope is too broad for any one piece of software or bureaucratic mechanism to cover. There are shortcuts, however.

Monitoring network traffic and imposing security policies on that traffic are a critical component of the NIST standards. While firewalls and boundary protection services fit the bill at a basic level, they are more about identifying symptoms rather than prescribing cures.

Businesses looking to move beyond mere compliance with the NIST standards and on to true control of their network have to look deeper into the everyday activity. As the lifeblood of any network interaction, DNS data offers a gold mine of insights to monitor all kinds of traffic (both internal and external) and can inform security policies even before that traffic reaches the network boundary.

With the compliance deadline fast approaching, it only makes sense for every business with government ties to re-evaluate its security posture. A DNS-based security system not only checks several boxes for NIST 800-171 but moves beyond it to improve resilience and readiness.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball