Anyone working on NIST SP 800-171 (Network and Information Security)?

[normzone]

I think this is a dumb question, but while I'm researching the answer I thought I'd come to the hub of all knowledge and pose the question here.

I'm seeing some traffic in my inbox from multiple customers regarding compliance to NIST SP 800-171, so I'm assuming that some implementation target date is approaching. This standard appears (research in progress) to address network and information security in organizations.

Since we have big aerospace customers, who occasionally provide us source control drawings, and also our own proprietary data on our network, it seems logical that we would be required to observe at least rudimentary security precautions.

But somebody in my organization touched on this topic with a customer prior to my involvement and made the statement that the requirements do not apply to us since some of our products are publicly available. Before I go step on those toes (they are upstairs) I am doing my homework.

Anybody here dealing with the NIST SP 800-171 standard, or it's big brother DFARS 252.204-7012?

As always, thank you so very much for participating in this forum.
.

 

[Jeff.Patriot]

Re: Any one working on NIST SP 800-171 (network and information security)?

Actually, I just started my journey this morning.

December 31, 2017 is the deadline.

 

[Jeff.Patriot]

Hi Norm,

I tried to answer your PM, but could not because I did not yet have enough posts. Therefore, I will answer here.

All I have had time to do is print out all of the requirements and list what we have in place that may or may not satisfy each item, sort of a "poor man's" gap analysis.

I do have a copy of the ISO/IEC 27001 standard as well. I need to find and download a comparison chart to see what ISO is lacking.

I set up a QMS a few years ago based on ISO 9001:2008, so I figured I would set up our ISMS based on ISO 27001 and grab any NIST leftovers at the end.

I am glad you had a survey to get you going. I'm in the weeds a bit myself. However, I have heard quite a few say they have gone the ISO way and that sounds feasible to me.

--Jeff

 

[normzone]

Thank you Jeff -

I wanted to provide an update, and ask for further documentation if available.

Jeff is correct about the deadline. The website at nvd dot nist dot gov/800-53/Rev4/impact/LOW has a beautiful set of information regarding requirements for Low Impact suppliers, and plenty of good counsel in footnotes regarding interpretation, suggestions for waiver or overlap in applicable situations, etc.

It even breaks it down to three priority levels (Implement these first, then .... ) so that you could make a minimum task list out of it.

Which is how I am going to present it to top management. But it's all in separate linked pages. Rather than cut/paste this damn stuff all day, I'm trying (without success) to find a PDF or word doc I can grab it all at one go in.

Anybody got any leads on one?

Thanks all -

 

[Lee Purser]

Hi all,
were small UK based machine shop, I'm a little late on the uptake of this one but better later than never! right?
We have firewalls, malware, virus software and all that good stuff in place; but the requirements of NIST SP seem to go much further than this. thanks for the info in the posts so far, but I wondered if anyone had found any simple effectively ways / solutions of implementing the requirements needed here?


regards
Lee
: