Last Updated on January 18, 2024
The US federal government has been issuing new cybersecurity guidance at an accelerating pace, with a focus on protecting controlled unclassified information (CUI) in general and critical infrastructure organizations (remember Colonial Pipeline?) in particular. Even if your business doesn’t serve the government directly, these changes could well impact you via “flowdown” from your customers in critical infrastructure and/or government sectors.
A central question for many firms that have already achieved ISO 27001 certification or have a SOC 2 based program in place is how to address the rapidly emerging need for compliance with the NIST SP 800-171 standard, which mandates controls to protect CUI. What is the most time- and cost-efficient way to achieve provable security and compliance with all the information security and privacy standards that are relevant to your business?
On a recent “special briefing” episode of The Virtual CISO Podcast, Pivot Point Security CISO and Managing Partner, John Verry, addresses the “NIST versus ISO” question, which is becoming relevant for more and more businesses both within and outside the government sector.
Why CISA and critical infrastructure are relevant
Per the “cybersecurity executive order” 14028 from May, 2021, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) will play a pivotal role in enforcing US government cyber compliance. This will be especially important for companies serving the designated “critical infrastructure” sectors, which include chemicals, commercial facilities, communications, dams, defense, emergency services, energy, financial services, food & agriculture, government facilities, healthcare, information technology, manufacturing, nuclear programs, transportation and water/wastewater.
Note how broad that list is. The USG may not directly mandate NIST 800-171 compliance for your business, but your customers in these industries will do so as part of their “flowdown” compliance requirements for their suppliers.
Why CUI is relevant
CUI comprises a wide range of data types that your business might be processing. The National Archives and Records Administration (NARA) maintains the CUI Registry, which among other things lists all the categories of CUI. These include far more than defense related data, e.g., student records, health records, personnel records, various financial and legal data and intellectual property.
As John explains, if you process CUI, you’ll be mandated in the “not-too-distant future” to comply with NIST 800-171—either directly by the government or by your customers in critical infrastructure sectors and/or who process CUI. Law firms and SaaS providers are examples of businesses that might see compliance mandates or feel compliance pressure sooner rather than later.
What’s Next?
John offers two key takeaways in this special briefing podcast:
- NIST 800-171 compliance requirements are coming soon for many companies. Depending on your current security posture, getting to a provably compliant state could take up to 12 months. Get started now becoming familiar with the current federal cyber compliance landscape, what CUI you’re processing, and what your customers and regulators are asking for, with a view of building NIST 800-171 compliance into your program ASAP.
- As you might expect, there is considerable overlap between NIST 800-171 and ISO 27001 or SOC 2. This opens up multiple options for attaining demonstrable NIST 800-171 compliance in a time- and cost-efficient manner, in parallel with ISO 27001 certification or a SOC 2 cybersecurity program.
To hear this special 20-minute podcast briefing on “NIST versus ISO” with John Verry, click here: LINK
To speak with an expert on how to optimally align your current security program with NIST 800-171, contact Pivot Point Security.