One of the reasons I joined my organization is that I wanted to experience being a Department of Defense contractor. The work Evotec is doing is just super fascinating, so it was hard to resist.
This means I am taking a NIST SP 800-171 crash course as I figure out what it means to comply with Compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause 252.204-7012. I swear this makes Part 11 look like the kindergarten it is.
NIST SP 800-17 has 110 security requirements across 14 control families, including:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
It spells out self-assessment and implementation of the security requirements. Organizations must:
- Form an assessment team
- Create an assessment plan
- Collect relevant documents and evidence
- Assess individual requirements
- Create a plan of action for unmet requirements
- Develop a System Security Plan (SSP)
Here’s a comparison of NIST SP 800-171 and ISO 27001 presented in a table format:
| Aspect | NIST SP 800-171 | ISO 27001 |
|---|---|---|
| Purpose | Protect Controlled Unclassified Information (CUI) in non-federal systems | Provide framework for Information Security Management System (ISMS) |
| Scope | Focused on data security for CUI | Broader approach to overall information security management |
| Origin | U.S. National Institute of Standards and Technology | International Organization for Standardization |
| Primary Users | U.S. Department of Defense contractors and subcontractors | Organizations worldwide seeking robust information security |
| Certification | No formal certification process | Offers formal certification through third-party audits |
| Structure | 110 security requirements across 14 families | 114 controls across 14 domains (Annex A) |
| Flexibility | Prescriptive requirements | More flexible, risk-based approach |
| Mandatory Controls | All requirements are mandatory | No mandatory controls; risk-based selection |
| International Recognition | Primarily recognized in the U.S. | Globally recognized standard |
| Cost | Generally less expensive to implement | Can be more costly due to certification process |
| Maturity Model | Does not include a maturity model | Does not include a maturity model (but compatible with other maturity models) |
| Documentation | Less extensive documentation requirements | Extensive documentation requirements |
| Regulatory Compliance | Specific to U.S. DoD contracts | Can be adapted to various regulatory requirements |
Investigations of a Dog 