Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations
The purpose of NIST 800-171 is a “security check-list” for federal agencies with regards to their interactions with “nonfederal” systems and organizations for “Controlled Unclassified Information”. What this means is that nonfederal (vendors usually) organizations have certain minimum standards to obtain, with regards to data protection, in order to operate with federal agencies.
The NIST 800-171 standards are a minimum standard to follow and the governing documents are ever evolving. AT-NET’s security team feels that the standard should be adopted by all organizations where financially practical. The NIST standards serve as a framework that is able to acclimate to an evolving cybersecurity landscape.
More information about the above standards can be found here.
Additionally, our customers are increasingly asked to allow the CMMC agent to review systems compliance.
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.