Wiley Rein LLP highlights five key questions that have emerged in companies’ efforts to comply with the “adequate security” standard in NIST Special Publication 800-171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.”
- Can I Segregate My Covered DOD Information System from my Commercial Systems? This is possible and may be a viable way to harden a system used for DOD contracting while avoiding a complete redesign of other existing commercial systems.
- What Information Systems Are Covered? Determining which systems handle Covered Defense Information begins with data identified as such in the contract, but extends to data handled in support of performing the contract.
- How Do I Determine If I Have Complied With NIST 800-171? Structured internal audits and consulting with outside vendors can overcome the intentional ambiguity in the security controls.
- What Do I Do If I Have Identified Gaps? Creating a System Security Plan that documents any gaps in Plans of Action and Milestones will buy a company time.
- How Do I Address Ambiguities in the Security Controls? Documenting the good-faith steps taken to comply is the best defense.