If you’re a small business working on a government contract that includes requirements for protection of controlled unclassified information CUI, it’s important to remember that remaining compliant is a continuous process. National Institute of Standards and Technology Special Publication 800-171 contains the guidelines for establishing and maintaining the required security processes and controls inherent in many contract terms. These requirements include maintaining and updating the systems used in support of the contract efforts.
Continue reading Information System Maintenance and Compliance for CUI Protection
Businesses face a growing number of vulnerabilities and adversarial tactics aimed at compromising the information they hold dear. The data entrusted to organizations in support of government contracts is of great value to those with malicious intent. While compliance with NIST SP 800-171 may be compulsory for your government contract, it also supports business goals for operational security and risk management.
Continue reading Credential Stuffing and NIST SP 800-171
For non-governmental organizations that do, or hope to do, business with the U.S. government, careful consideration must be given to whether controlled unclassified information is part of the specified contract work. Controlled unclassified information (CUI) is sensitive in nature and is restricted from public distribution. This is not classified information, rather products or by-products of contract government work that has been deemed to deserve additional protections.
Continue reading NIST SP 800-171 Control Families – Overview
Backups and Archiving
World Backup Day is March 31st – a whole day to help remind us to ensure our valuable information is properly protected and available should the need arise. Obviously, valid backup and recovery is a foundational component of incident response and information security. An incident could be a system malfunction, user error or adversarial maliciousness.
Continue reading World Backup Day and NIST SP 800-171
New Cyber Security Regulations
For small businesses planning to business with the U.S. Government and Department of Defense, new cyber security and incident reporting rules will apply. The rules can impact your contract work and the data sent, received or created as part of those efforts. These rules are primarily codified in the National Institute for Science and Technology Special Publication 800-171 Privacy Controls for Federal Information Systems and Organizations and Clause 252.204-7012 to the Defense Federal Acquisition Regulation Supplement.
Continue reading NIST SP 800-171 and DFARS Clause 7012
Like most everyone else, we use email services daily in our small business activities. From general announcements to document and file sharing, email is ubiquitous. Adversaries have long known this fact as well and is evidenced by the amount of spam and malicious email we see in our inboxes. In fact, worldwide, more than half of the email we receive can be attributed to unwanted spam, advertising or phishing. Phishing, of course, being one of the most concerning as senders attempt to extract important information or credentials from victims.
Continue reading Email Security and NIST SP 800-171 Compliance