DoD cybersecurity standards may apply to you, even if you don’t handle classified information.
If you’re a business which has contracts with the Department of Defense or federal government, you may need to take a closer look at your current cybersecurity situation. Over the past few years, the DoD has worked with the National Institute of Standards and Technology (NIST) to develop a new cybersecurity standard, known as NIST 800-171, for themselves, and for contractors that work with them.
The DoD and federal government depend upon outside contractors to handle a variety of needs. And many of these contractors work with subcontractors to handle the workload. With so many parties involved, it’s no surprise leaks happen. However, the DoD understandably would like to see confidential information handled more carefully—even information that isn’t labeled “classified.” Specifically, the DoD is interested in what it calls “Controlled but Unclassified Information,” or “CUI.”
How do you know if your business handles CUI?
CUI covers a broad range of material, from documents pertaining to purchase orders to manufactured goods. Broadly speaking, anything which might cost the United States an economic advantage through the loss of financial information or intellectual property can be considered CUI. This also includes technical drawings or documents marked “for official use only.” Because these documents are so pervasive, it’s almost a given that if your business handles any sort of contract with the DoD or federal government, you handle CUI and NIST 800-171 applies to you.
This comes as a surprise to many businesses who (understandably) believe the DoD cybersecurity standards are only meant to protect classified information. Similarly, many businesses may be unaware that these guidelines are intended for them if they work as subcontractors for businesses handling DoD or federal government contracts. Even if your business does not work directly with the DoD or federal government, if you handle these contracts through an intermediary the cybersecurity standards apply to you.
How can your business meet DoD cybersecurity standards?
You can review the NIST 800-171 guidelines for yourselves, but many of the requirements take expert knowledge to understand and meet. We can help your business evaluate their DoD cybersecurity qualifications to see if they’re up to date. If you have more questions, take a look at our FAQ page or contact us to begin the assessment process.