by Geoff Pierce, CISO

When it comes to implementing NIST SP 800-171, I’m often asked: Why should I implement that, I don’t have [controlled unclassified information] CUI on my system.”   

The perception tends to be that CUI is the only unclassified data that should be protected. I say, focus on protecting all of your data, including: 

  • Your intellectual property 
  • Your financial data 
  • Your employee data 
  • Your business partner data 
  • Your client data 

Identify and Characterize Your Data: While not all data is CUI, you likely have more CUI on your systems than you realize (that is a certainty for cleared defense contractors) – most, if not all, of your data is worth protecting from hackersFor government contractors, failure to protect CUI can result in millions of dollars in fines and loss of contracts. Failure to protect your data (not just CUI) can result in loss of reputation – ultimately hurting your bottom line.   

Prevent Unauthorized Access: Now that you’ve identified and characterized your data, implement required controls to prevent unauthorized access. CUI needs to be encrypted wherever it is stored and when transmitted via email. Your company’s prized intellectual property should be encrypted as well.  Utilize access control lists on file shares to limit access to authorized personnel. For example, does every staff member need access to salary information for the company? Probably not! 

Documentation is Key: It may take time, but document your policies and procedures – including employee on-boarding, passwords, data storage and transmission, to name a few. The best documentation is concise, practical, and accurate. If your password policy states that passwords are changed every three months (say what you do), then implement controls that expire passwords every three months (do what you say). Of course, technical controls are no good if your employees don’t know how to use them – for example, encrypting CUI. Train your employees on the proper ways to store and transfer data, especially CUI.  Employees should be aware of your company policies and procedures so that you as a company can demonstrate that you do what you say.  Cybersecurity is not a one-and-done endeavor – it must be practiced every day.   

Looking for practical advice? Contact the Centauri Security & Cyber Services team using the form below.  

Contact Us