For companies that do business with the government, 2017 was a year of transition, as many began to follow the NIST Cybersecurity Framework, worked to accomplish Federal Risk and Authorization Management Program (FedRAMP) certification, or rushed to rid their systems of products from Kaspersky Lab. Perhaps most significant was the rush of Pentagon contractors to come into compliance by year's end with NIST Special Publication (SP) 800-171, as mandated by a new provision of the Defense Federal Acquisition Regulation Supplement (DFARS). This provision requires contractors to comply with NIST's standards on protecting Controlled Unclassified Information (CUI).
The news for 2018 is that this heavy lift is coming for all government contractors, not just those dealing with the Defense Department. By all accounts, within a few months, the government will issue a new regulation and clause under the Federal Acquisition Regulation (FAR), following the Pentagon's lead in applying NIST 800-171 to all government agencies. This is expected to bring a significant amount of tumult, as tens of thousands of companies will find themselves subject to comprehensive new standards on information security, when dealing with sensitive (but not classified) government information.
Putting it Into Practice: Companies that do business with the federal government, or hope to, should begin planning to come into compliance with the NIST CUI standards. Doing so takes time and effort; those that start early will be rewarded with less time pressure and be in a better position to secure government contracts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.