What Is NIST?
Regardless of your organization’s size or line of business, you must have heard of the term ‘NIST.’ What exactly does it mean, and why should it concern you?
The acronym stands for the National Institute of Standards and Technology. NIST is a non-regulatory federal agency based in the United States Department of Commerce. Founded by Congress in 1901, its primary mission is to encourage scientific innovations and technological competitiveness. You’re probably wondering how relevant this is to your Los Angeles business, right? Don’t worry; Generation IX is here to put everything into perspective. But first, check out this introductory video:
How Is NIST Relevant To Your Organization?
An extract from the official NIST website reads, “Congress has given NIST responsibility to disseminate consistent, clear, concise, and actionable resources to small businesses.” Based on the agency’s recent actions, we could interpret this to mean businesses of all sizes.
When computers became popular and the internet part of our daily lives, the federal government thought it was reasonable to define best practices for their fair and appropriate use. Congress tasked NIST with overseeing the establishment of standards for creating, using, and transmitting technology. Although there are several NIST standards to this effect, our focus today is on the most common one – NIST 800-171. It prescribes how non-federal or non-governmental organizations should handle Controlled Unclassified Information (CUI) in their possession.
What is CUI? It’s essentially any government information that is not classified but is still deemed relevant and must be protected from the bad guys. A classic example is architectural illustrations of government projects like maps of roads and railway lines. Such information may not be classified but is still controlled by the federal government. If this information land in the wrong hands, it could be leveraged against the U.S. Any organization working directly or indirectly with the government must, therefore, observe NIST 800-171 standards for the protection of CUI.
How Can Your Organization Stay NIST 800-171 Compliant?
Even for companies not doing business with the government, it’s essential to know some NIST basics.
To fully comply with NIST 800-171:
- First, identify all the CUI in your possession and where it is stored.
- You then categorize and encrypt the information.
- Limit access to the CUI to only a ‘Need-to-know’ basis.
- Deploy a reliable monitoring system for the CUI. You should have full visibility into and control over CUI databases. All logins and access logs must be recorded for easy reference. When did the user access the CUI, and how did they use it?
- The Standard also mandates regular training for your employees on CUI and how to protect it.
There’s more to NIST compliance than these; the list could go on and on. Like most concepts in cybersecurity and IT, NIST is vast and quite sophisticated. It’s often considered one of the most problematic compliance standards. However, it must not always be challenging, especially if you are working with the best IT company in Los Angeles.
Can You Manage NIST Compliance Internally?
Most small and medium-sized businesses prefer outsourcing this service because it’s more cost-effective that way. Besides, an IT company is less prone to blunders and omissions, thanks to a broader experience and deeper bench of experts. Even larger companies with established in-house IT departments often reach out to us to help with NIST compliance or for fixing errors flagged during audits. So, yes, it’s possible to manage NIST compliance internally — but this is not the best option.
Everyday, I work to ensure organizations are leveraging technology to optimize their business, improve employee performance and satisfaction, and protect themselves from cybersecurity threats. I love my role in business development because it allows me to connect with all facets of a business. My primary focus is working with new prospective clients and introducing them to the Generation IX way of IT services and support. Additionally, I evaluate new technology and potential vendor partnerships. We are constantly looking for the best solutions for our clients.