I have said for some time that ‘compliance is not security.' That said, compliance requirements pose very real risks to your business if you don’t comply such as fines, time-wasted in audits (internal or otherwise), and lost contracts. It is not just government contracts at risk either; frameworks like NIST 800-171 mean that you could be held to comply if you are doing business with a company that has a contract with a government agency! That’s three degrees removed from the powers-that-be themselves. In this post, I’ll discuss why these stipulations are more important now, recap what these acronym-laden compliance frameworks are, and explain how ActZero's Managed Detection and Response & vCISO services can help you meet increasingly complex requirements.
Related Content: Check out our other Regulatory Compliance posts!
There are several reasons your small to medium-sized enterprise should probably be taking these requirements more seriously than when they originally came into effect. First off, it was only in July of this year that the second revision of this framework came into play. The requirements are more specific regarding the type of processes/technologies/outcomes that need to be in place.
That means that government suppliers (still very interested in ensuring their own suppliers and partners are compliant) are getting serious in how they’re enforcing. Gone are the days of the annual check-ins and roadmaps towards compliance – if progress isn’t being made, they are much more likely to drop your business to protect their own government contracts.
Finally, it is not just your current contracts with the government, or their suppliers, that are at risk – you can be ousted from the program as a result of failing to comply, meaning your business will not be considered for future RFPs. If you aren’t already involved, your business can still be blacklisted from future consideration if you haven’t complied. Perhaps the most important consequence is that by failing to comply, you are in direct violation of an executive order of the President of the United States – which is not a situation you want your business to be in.
What is NIST anyway?
NIST itself, the National Institute of Standards and Technology, is the body that put forward the regulatory framework I’ve been discussing; their Special Publication 800-171. The framework offers compliance requirements designed to protect Controlled Unclassified Information (CUI). It mandates technological and process-driven security measures be taken for companies that exchange CUI with contractors dealing with government agencies. For more information about the specific requirements, you can check out our detailed report on NIST SP 800-171.
What about DFARS?
This acronym stands for Defense Federal Acquisition Regulation Supplement, and in this context usually refers to the specific stipulation for Department of Defense (DoD) contracts to be NIST SP 800-171 compliant. That’s why even if your customer isn’t a government agency, but a company with a DoD contract, your business is still required to be compliant with the 800-171 framework.
How does ActZero help?
There are two ways ActZero services help your business with this (and other) regulatory frameworks. The first is our core offering, the Managed Detection and Response (MDR) Service. The service enables businesses without the means or expertise to set up their own Security Operations Center (SOC) to achieve the benefits of one for a low monthly fee, without investing in their own hardware, software, or personnel. That means our trained Threat Hunters leverage our proprietary platform to proactively hunt threats in client environments, respond to them by killing processes, deleting malware, or quarantining machines. This enables your business to meet requirements that deal with the technology or personnel necessary to protect critical data. We’re constantly adding new features to the service that enable better protection and equip you to meet the increasingly complex requirements. Most recently, passwords and account policies are now part of the monthly report that our threat hunters review with clients.
The second is our consultative Virtual CISO (vCISO) Service, which gives you access to a team of experienced CISOs for a given number of hours each month. They can help you navigate compliance requirements like those in NIST SP 800-171, and others. They can advise you on your next security investments. They can help you understand the risks specific to your business or industry, and mitigate them.
Refer to the chart below to understand which requirement families our services can help to meet:
Of course, this chart only provides you with an aggregate perspective of how ActZero Networks’ Services can help. If you need to understand the specific requirements, you can request a copy of our detailed report on how our MDR, vCISO, or a combination thereof can help. Or, reach out to one of our experts today to learn more!