Contract Electronics Manufacturing and PCB Assembly Blog

NIST 800-171: Is Your Company Prepared for 2018?

Posted by Stephanie Weaver on Fri, Sep 15, 2017 @ 01:00 PM

NIST, the National Institute of Standards and Technology, published a document in December 2016, protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. All organizations doing business with government primes must be compliant by 12/31/17. In order to continue to receive Purchase Orders from government primes in 2018, all companies MUST be compliant with NIST 800-171.

The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.*

NIST outlines 14 families of requirements, each with extensive subsections:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System & Communications Protection
14. System & Information Integrity

Zentech has been proactively addressing the 14 families and their associated requirements. To assist electronics industry professionals in their understanding of the impact and to best prepare their company for these requirements, I interviewed Clint Fleming, Zentech's VP of Program Management and IT.

SW: This new document was published by NIST in December 2016. How long has Zentech been preparing for these changes, and how long do you recommend a company to prepare in advance?

      CF: Zentech has been preparing since publication of the document. I would recommend 6 months to        
      prepare, if you take into consideration an IT professional's regular day-to-day activities and other long term         projects. In that the deadline is only 4 months away, if you have not started this process, you will need to
      quickly appoint a task team and accelerate your efforts.

SW: How do these requirements differ from what has been required by NIST in the past?

      CF: These requirements require, most importantly, a 2 factor identification to access all CUI data, and that
      all data be managed in a secure cloud-based environment. It also requires that as a sub-prime, that the               subprime report its full compliance to each government prime that it works with in order to continue
      business with them.

SW: What has been the most challenging of the requirements thus far?

      CF: From a practical, day-to-day, on-the-shop-floor perspective, the 2 factor authentication will be the                 most challenging to adapt to. Two factor authentications take more time, and those seconds add up and
      could affect productivity. They also time-out after a specified number of minutes and credentials have to be
      re-entered. 
      The other significant factor is the accounting of hard copies. Companies must create a process for
      keeping track of all hard copies printed each day that contain CUI data and account for them. Inevitably,
      there are hard copies as an operator has multiple items he/she needs to view at the same time. Even if your       company added more monitors to reduce the number of hard copies, many plants are up against floor 
      space constraints. Now is the time for organizations to address these challenges and create processes and
      procedures that will continue to allow the company to run efficiently under the new requirements.

SW: What is the deadline for compliance and what are the ramifications of non-compliance?

      CF: All companies doing business with government primes must be compliant by 12/31/17 or they cannot           receive any DoD related purchase orders in 2018.

 

*From the document, NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

About Zentech: Zentech Manufacturing, Inc. is a privately held, engineering-driven contract manufacturer specializing in the design and manufacture of highly-complex electronic and RF circuit cards and assemblies. The company is headquartered in its purpose-built facility located in Baltimore, MD and maintains several 
key certifications, including ISO 9001:2008, ITAR (US State Dept.), AS9100 (aerospace), and ISO 13485 (medical). In addition, Zentech is a certified IPC Trusted Source supplier for Class 3 mission-critical electronics, and the company is IPC J-STD-001 Space Addendum QML certified. 

Zentech Baltimore Video Tour

Zentech Fredericksburg Video Tour