Posted on

Business Operating Policies Enable Compliance

business operating policies for cyber security

Compliance with the security controls described in NIST SP 800-171 Revision 1 and DFARS Clause 252.204-7012 is required for organizations doing business with the U.S. Federal Government that involves the transfer, storage and processing of controlled unclassified information (CUI) and/or covered defense information (CDI).

Compliance is a Process

In our modern information technology world, it is easy to buy an application or service that purports to solve our problems. In some cases, these solutions may get the job done, or come very close. Others may be outright misleading. As with anything, the truth is often somewhere between and buried in the details. It is important, therefore, to expend due diligence and resolve the truth. Often, this requires resources that not all small businesses have on staff or easily accessible. In these circumstances, a partnership with someone with the right expertise goes a long way.

Policies Help Meet Compliance Objectives

The measures and controls outlined in the relevant NIST and DFARS references are not all related to technical measures, applications or devices. Some are more the providence of business operating policies and procedures that must also be defined, enacted, and enforced. Two of the NIST control families can be used as examples in this discussion: 3.3 – Awareness and Training; 3.10 Personnel security.

The awareness and training family discusses the need to ensure personnel using information technology (IT) systems receive appropriate instruction regarding the cyber threat environment, their roles in protecting CUI and CDI, and the actions they should take to help protect the organization and information. Certainly, there are services that provide this type of instruction. Assured Bridge offers this service as well. But, in addition to just having the services, reporting and auditing must be accomplished to validate both the program and participation by the team. This requires organizational leaders to both ensure the team is aware of and completing their training, and that the training is fully appropriate to the risk and threats that may be faced. Ensuring these responsibilities are met must be outlined in an appropriate policy to which the team is bound.

The personnel security family, too, evidences the need for appropriate hiring and staffing policies to ensure employees meet the security requirements for handling of CUI and CDI. There are services that can assist in finding and vetting qualified personnel, but the standards, training and qualifications must be set by the organizational leadership. A personnel and staffing policy is a great way to ensure the team is aware of these needs, and can be used as a ready-reference for decision makers in the selection and hiring processes.

Assured Bridge

At Assured Bridge, we’re gathering, developing and refining appropriate policy templates to assist our customers in meeting the compliance objectives of NIST SP 800-171 and DFARS 252.204-7012. These policy templates are intended to supplement and support the technical controls necessary to meet the security and protection requirements inherent in government contracts.

Image credit: http://alphastockimages.com/

With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner and innovator. He serves as a principal at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. Dan is also Chief Technologist at Sabine Solutions - a defense contractor, and owns a small cybersecurity consulting firm: Community Cyber. He is active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in information technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.