The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates national standards for electronic transactions of health information in the United States. The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-171 in 2008, which assists covered entities in applying the security requirements for federal information mandated by HIPAA. SP 800-171 covers the protection of Controlled Unclassified Information (CUI), defined as unclassified information created by the government or an entity on behalf of the government that needs to be safeguarded. Many sub-contractors who bid or work on Department of Defense (DoD) projects will need to achieve NIST compliance by the end of 2017.
Overview
The security requirements in SP 800-171 consist of 14 families of security requirements for protecting the confidentiality of CUI in non-federal information systems and organizations. These families may be categorized into the following four general areas:
- Controls
- Monitoring and management
- End user practices
- Security measures
Nonfederal organizations can satisfy SP 800-171 security requirements either directly or indirectly through the use of managed services. They can also use SP 800-53 to obtain additional information related to the CUI security requirements described in SP 800-171. This information includes optional controls for areas such as NIST configuration management and NIST physical security standards. SP 800-53 also provides mapping tables to security controls for the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Affected Organizations
SP 800-171 generally applies to any organization doing business with the government, whether it’s directly as a contractor or indirectly as a subcontractor. It will typically have the greatest impact on manufacturing companies that are prime contractors, since these companies usually store the greatest amount of CUI in their systems. However, SP 800-171 can also affect subcontractors such as consulting firms, research institutions and service providers.
Many organizations have the misconception that they don’t need to comply with NIST security requirements because they don’t do business directly with the government. However, any business in the federal supply chain that handles CUI will need to be NIST-compliant by the end of 2017. Some executives may also feel their company is too small to be affected, although SP 800-171 has no minimum size requirement.
Implementation
The process of identifying the actions needed to become NIST-compliant may appear to be a lengthy one, but a clear plan of action will allow many organizations to complete this task within three months. The first month should be spent assessing the current IT environment. Managers should spend the second month performing a gap assessment that will identify areas that fail to meet SP 800-171 requirements. The third month should be used to develop a list of recommended corrective actions, including a project plan and timeline.
Summary
CSCI has been providing managed services and on-site engagements for businesses in the San Diego area for over 30 years. Our services include NIST compliance, often in partnership with major companies such as Cisco, Fortinet, HP and Microsoft. Contact us today for a free assessment of your compliance requirements.