How Does It Affect Me?
The impact to you as an Industrial Security professional will depend on how your company intends to implement the guidelines and what role you need to play. As is fairly common, your company may want you to take on additional responsibilities because of your role as a Facility Security Officer (FSO). Know that NIST SP 800-171 requires separation of duties to reduce the risk of collusion.
New Reporting Requirements. In order to comply with NIST SP 800-171, your company needs to know what, if any, controlled unclassified information is being collected, stored, used, or transmitted on their information systems. As an Industrial Security professional, you will want to know this as well because NIST SP 800-171 requires the collection and preservation of information (e.g., records and other forensic evidence) related to cyber incidents to be reported to the Department of Defense. These reporting requirements mean you will also need to notify your Cognizant Security Agency (CSA).
Enhanced Security Controls. If your company has classified information systems, you will be familiar with the concept of a System Security Plan (SSP). Creation and maintenance of an SSP is also a requirement under NIST SP 800-171. In the same way classified information systems must be monitored for vulnerabilities and insider threats, NIST SP 800-171 expands this to include company information systems that house controlled unclassified information. As an Industrial Security professional, you need to understand the mapping of NIST SP 800-171 requirements to NISPOM requirements so you can confirm the security controls have been implemented, advise those with responsibility how to address any compliance gaps and update your Security Practices and Procedures.
NIST SP 800-171 Security Requirement NISPOM Relevant Security Controls
3.9 Personnel Security
3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI. 8-302.a.(1) Individuals occupying positions of responsibility for classified ISs meet the security criteria established for those positions
3.9.2 Ensure that CUI and organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.8-302.a.(2) Classified Information and ISs are protected during and after personnel actions, such as resignations, retirements, terminations, transfers, or loss of access to the system for cause, or the individual no longer has a reason to access the IS; in such circumstances, the individual’s user ID and its authentication will be disabled or removed from the system and the account.
8-302.a.(3) The contractor is required to review audit logs in accordance with CSA-provided guidance, as a component of its continuous monitoring to determine if there are any personnel failing to comply with security policies and procedures and taking appropriate administrative actions. In addition, when circumstances warrant, the contractor will review audit logs, more immediately, if necessary, for inappropriate activity and employ appropriate administrative actions for personnel failing to comply with security policies and procedures.
Training and Awareness. You need to understand the security briefing and training requirements defined in NIST SP 800-171, which include information security, insider threat, privacy, access control and other briefings. You and your security team may be required to train company personnel as part of the onboarding, termination and security awareness program.
Security Assessments. In addition to the security assessments required under the NISPOM program you need to understand what role you will play in the risk and security assessments required by NIST SP 800-171.
The deadline for compliance with NIST SP 800-171 has passed and, your role as an Industrial Security professional will likely change in one or another. The key to successfully navigating this newest set of regulatory requirements is to ensure you understand how the program will be implemented at your company and what role you are being asked to play.
Regardless of the role you play, it would be prudent to review the NIST SP 800-171 guidelines so you can make informed decisions.