Logo
(817) 377-WIRE (9473)
Request a Quote

Navigating the Cybersecurity Compliance Journey (Part 1)

 

In today’s digital age, cybersecurity is paramount, especially for defense contractors in the United States, such as InterConnect Wiring.  Ensuring compliance with standards like the National Institute of Standards and Technology (NIST), Special Publication (SP) 800-171 and the Cybersecurity Maturity Model Certification (CMMC) 2.0 is crucial for safeguarding sensitive information. These are the requirements facing our company, along with the other 300,000 or so other Defense Industrial Base (DIB) contractors in the same compliance boat with us.  This post will guide you through the general steps InterConnect Wiring, as a DIB member, went through to reach compliance with NIST SP 800-171, Revision 2, as well as explaining where that puts us in relation to CMMC 2.0.

 

Understanding NIST SP 800-171 and Controlled Unclassified Information (CUI)

NIST SP 800-171 provides guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. CUI is any information not reaching a classified level and is not for public knowledge, that either the government, the prime contractor, or any sub-contractor has generated or received in relation to the contract.  CUI will either already be marked as CUI from the DoD or the Prime in the chain above us, or is information generated by InterConnect Wiring and determined to be CUI.  Once the information is determined to be CUI, the handler of said information becomes responsible to ensure it is labeled as CUI.  CUI can be technical information, such as Computer Aided Design (CAD) files used to build the contracted items, such as wiring harnesses and cockpit panels.  This is known as Controlled Technical Information or CTI and is a subset of CUI.  For InterConnect Wiring, most of our CUI is CTI in the form of two-dimensional drawings.  CUI for us is also the Bill of Materials (BOM) used to assemble the wiring harnesses.  If we make some CAD files ourselves, they become CUI and we label them as such. Understanding what information we handle, process or generate in the fulfillment of the contract, that is CUI, was a vital step for us to move forward in our compliance journey.  Once CUI is identified, only then can the flow of CUI through the company be evaluated and the scope of NIST SP 800-171 compliance be determined.  It’s hard to protect what you have not identified.  

NIST SP 800-171 outlines 14 families of security requirements, including access control, incident response, and system and information integrity.  Within each of these families, there are controls.  If you count all the controls, there are 110 of them.  Some families have just a few controls and other families have many.  

 

Steps to Achieve NIST SP 800-171 Compliance

InterConnect Wiring took the arduous steps below to reach compliance.  You can do the same.

  1. Gap Analysis:
    • Conduct a thorough assessment to identify gaps between your current cybersecurity posture and the requirements of NIST SP 800-171.
    • Document all findings to create a roadmap for compliance.
  2. Develop a System Security Plan (SSP):
    • Create an SSP that details how your organization meets each of the NIST SP 800-171 requirements.
    • Include descriptions of system boundaries, operational environments, and security controls.
  3. Implement Security Controls:
    • Address the gaps identified in the gap analysis by implementing the necessary security controls.
    • Ensure all 110 security requirements are met.
  4. Conduct a Self-Assessment:
    • Perform a self-assessment to verify that all security controls are in place and functioning as intended.
    • Use the results to make any necessary adjustments.
  5. Continuous Monitoring and Improvement:
    • Establish a continuous monitoring program to ensure ongoing compliance which demonstrates maturity via evidence collection.
    • Regularly review and update your SSP and security controls as needed.

 

An essential step taken along the way that really helped InterConnect Wiring get some traction and accelerate the process was to get a Governance Risk and Compliance (GRC) product.  The GRC has within it the compliance controls for both NIST SP 800-171 and the corresponding controls for CMMC 2.0.  Once we had our SSP, we generated scheduled tasks for each control, with the basic steps to produce evidence of how the control is met for us.  Such evidence (AKA artifacts) may be screen shots, exports of log data, or notes from employee interviews conducted.  Collecting artifacts showed us we were actually fulfilling our required compliance.    

Be sure to look for my next article titled Navigating the Cybersecurity Compliance Journey (Part 2 of 2) where I explain scoring NIST as well as moving to CMMC 2.0. Would you be surprised if I told you the scoring is rather unusual and confusing to some? 

 

About the author: Doug Symes, InterConnect Wiring, IT Manager

With a keen eye for cybersecurity and a passion for innovation, Doug Symes leads the Information Technology (IT) department at InterConnect Wiring. His expertise in navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC) has positioned InterConnect as a forward-thinking contractor, able to meet the stringent requirements of the Department of Defense. Doug’s strategic approach to IT management ensures that InterConnect remains at the forefront of technological advancements, providing exceptional service and support.  Over the 15 plus years at InterConnect, Doug’s commitment to excellence is evident in his proactive stance on cybersecurity, ensuring that all systems are robust and resilient against potential threats. His leadership is instrumental in fostering a culture of continuous improvement and adaptability within the IT team.

Doug has been married to his wife Kara for 22 years and has four sons.  Doug earned a bachelor’s degree from Wichita State University and a Masters of Divinity from Southwest Baptist Theological Seminary here in Fort Worth.  Doug was born in Huntsville, Alabama while his father was working with Boeing and NASA there on a joint space project.  The family moved back to Wichita, Kansas where Doug was raised.  Doug is no stranger to aerospace as his grandmother riveted bombers during WWII and direct family members worked for Boeing, Cessna, Beechcraft and LearJet.

Our License

We are the sole licensee of Lockheed Martin for F-16 electrical products. Through this agreement, we have access to Lockheed Martin’s F-16 engineering data, tooling and configuration control information. We also have a Technical Services agreement with Sikorsky for all of their aircraft. This agreement allows us to obtain their engineering data needed to rewire helicopters that Sikorsky manufactures.

OUR CUSTOMERS

bae-systems
boeing-systems
sikorsky
dcma
lockheed-martin
l3

Contact Us



    * These fields are required.