Posted on

Business Operating Policies Enable Compliance

business operating policies for cyber security

Compliance with the security controls described in NIST SP 800-171 Revision 1 and DFARS Clause 252.204-7012 is required for organizations doing business with the U.S. Federal Government that involves the transfer, storage and processing of controlled unclassified information (CUI) and/or covered defense information (CDI).

Compliance is a Process

In our modern information technology world, it is easy to buy an application or service that purports to solve our problems. In some cases, these solutions may get the job done, or come very close. Others may be outright misleading. As with anything, the truth is often somewhere between and buried in the details. It is important, therefore, to expend due diligence and resolve the truth. Often, this requires resources that not all small businesses have on staff or easily accessible. In these circumstances, a partnership with someone with the right expertise goes a long way.

Policies Help Meet Compliance Objectives

The measures and controls outlined in the relevant NIST and DFARS references are not all related to technical measures, applications or devices. Some are more the providence of business operating policies and procedures that must also be defined, enacted, and enforced. Two of the NIST control families can be used as examples in this discussion: 3.3 – Awareness and Training; 3.10 Personnel security.

The awareness and training family discusses the need to ensure personnel using information technology (IT) systems receive appropriate instruction regarding the cyber threat environment, their roles in protecting CUI and CDI, and the actions they should take to help protect the organization and information. Certainly, there are services that provide this type of instruction. Assured Bridge offers this service as well. But, in addition to just having the services, reporting and auditing must be accomplished to validate both the program and participation by the team. This requires organizational leaders to both ensure the team is aware of and completing their training, and that the training is fully appropriate to the risk and threats that may be faced. Ensuring these responsibilities are met must be outlined in an appropriate policy to which the team is bound.

The personnel security family, too, evidences the need for appropriate hiring and staffing policies to ensure employees meet the security requirements for handling of CUI and CDI. There are services that can assist in finding and vetting qualified personnel, but the standards, training and qualifications must be set by the organizational leadership. A personnel and staffing policy is a great way to ensure the team is aware of these needs, and can be used as a ready-reference for decision makers in the selection and hiring processes.

Assured Bridge

At Assured Bridge, we’re gathering, developing and refining appropriate policy templates to assist our customers in meeting the compliance objectives of NIST SP 800-171 and DFARS 252.204-7012. These policy templates are intended to supplement and support the technical controls necessary to meet the security and protection requirements inherent in government contracts.

Image credit:

Certified Information System Security Professional Daniel Bjorklund is the information assurance and cybersecurity subject matter expert for Assured Bridge LLC, a company specializing in cybersecurity compliance solutions. With over 20 years’ experience in U.S. military intelligence and security operations, plus significant involvement in government, commercial and private sector cybersecurity initiatives, Dan has comprehensive knowledge of today’s rapidly-evolving cyber-dependent world. A recently-licensed pilot and amateur radio operator, Dan lives with his wife in South Carolina.
Dan can be found on LinkedIn ( and Twitter (