Oct 2021: NIST, CUI, FAR, DFARS, MFA, POAM, SSP…WHAT??

Okay, it’s here to stay and there’s only more to come, especially with all the acronyms. Government contracting and cybersecurity will operate hand in hand forevermore. Therefore, you need to be ready to move, prepare for changes, and know it will be a bumpy path.

If you are new to cybersecurity, please read our “Back to Cybersecurity” blogpost from August 2021. The post explains what cybersecurity is, why it’s important, and how it can help a business. There are also cybersecurity tips and resources in the post, so be sure to check it out if you haven’t yet or if you need a refresher!

There are many misused terms in cybersecurity. Impact Dakota is part of the Manufacturing Extension Partnership (MEP) Program and provides the correct definitions of many commonly misused terms in cybersecurity in one of their blog posts. For example, threat vs. risk. The blog explains that “A threat is either used to mean something bad that could happen or an entity that may cause something bad to happen (also called a ‘threat actor’). Risk includes the probability that a bad thing could happen and the potential result(s). People often (incorrectly) use these words interchangeably.” For more misused terms read the whole post, titled “Commonly Misused Terms in Cybersecurity.”

For a general cybersecurity glossary from A to Z, check out either the National Initiative for Cybersecurity Careers and Studies (NICCS) or the SANS Institute. For federal government cybersecurity terminology check out General Service Administration’s (GSA) “Cybersecurity Terms and Definitions for Acquisition” sheet, which also provides the definition source or the National Institute of Standards and Technology’s (NIST’s) Computer Security Resource Center Glossary.

NIST, which operates under the U.S. Department of Commerce, promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST administers the federal government’s Standards Coordination Office which creates and assesses standards and conformity in U.S. industry. NIST’s Special Publication 800-171 contains recommended security actions that are necessary when protecting one’s business and the Controlled Unclassified Information (CUI) that the business collects. NIST also provides a cybersecurity overview.

If your company will possess CUI in relation to a contract, you must have processes to protect the CUI from both internal and external threats. External threats are apparent; protecting information from internal threats means only those employees that need the information to complete their work should have access to CUI. The National Archives provides CUI categories that should be protected. Don’t guess on these categories; it could be wrong. Add in FCI (Federal Contract Information), “both CUI and FCI include information created or collected by or for the Government, as well as the information received from the Government. But while FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding. In short: All CUI in possession of a Government contractor is FCI, but not all FCI is CUI” stated the National Archives CUI Program Blog.

When involved with federal government contracting one must comply with Federal Acquisition Regulations (FAR). If you have any DoD (Department of Defense) contracts, you must also comply with the Defense Federal Acquisition Regulation Supplement (DFARS). While the FAR contains businesses and government agencies that will work with each other.  The DFARS also includes regulations related to federal procurement.  And yes, there are sections related to security.

One easy, effective, and important tool EVERYONE should use is Multi-Factor Authentication (MFA). MFA is when a user must provide at least two pieces of evidence to verify their identity and gain access to a website, application, or other resources. To learn more, visit Cybersecurity & Infrastructure Security Agency.

Working on improving your cybersecurity using NIST 800-115, the Technical Guide to Information Security Testing and Assessment? Have a plan of what needs to get done related to cybersecurity? Use a POA&M (Plan of Action & Milestones) to identify and set actions, document your progress, and track your milestones. Need a template to get started? Go to the Federal Risk and Authorization Management Program’s, or FedRAMP’s, POA&M Template Completion Guide.

Are we done yet?? Not quite. Impact Dakota describes a System Security Plan (SSP) as critical to the implementation of NIST 800-171. This plan outlines an organization’s general philosophy toward security with respect to a specific, controlled information environment. In other words, an SSP outlines how an organization implements its security requirements. It details the different security standards and guidelines that the organization follows and includes high-level diagrams that show how connected systems talk to each other. The Environmental Protection Agency (EPA) has SSP tips on creating a plan. You guessed it, the NIST also has a glossary for this.

Interested in learning the history of Cybersecurity Maturity Model Certification (CMMS)? Jacob Horne explains it in about an hour on YouTube.

BONUS: Join ND PTAC’s Monthly Tri-State Webinar on ‘Cybersecurity Maturity Model Certification (CMMC), A Legal Overview’ at 9 am CDT, October 5, 2021. Register today!

As always, if you are not sure where to start or how to get organized, connect with the North Dakota Procurement Technical Assistance Center (ND PTAC). Our services are at no cost to businesses based in the state of North Dakota. Register to schedule an appointment. Additionally, take advantage of the many training opportunities and events listed on the ND PTAC website.

Not from North Dakota? Find your closest PTAC on the APTAC website and then click on your state.