5 Differences a NIST Assessment can make for manufacturers
NIST Compliance in Oklahoma
As the pressure mounts on government subcontractors to complete National Institute of Standards and Technology (NIST) 800-171 cybersecurity assessments, it is important for businesses to understand some of the key reasons for self-assessments to be done:
Manufacturers should understand that one of the greatest risks to their business is disclosure of proprietary data. Trade secrets are the lifeblood of these businesses and it is essential to prevent the loss of this information. The NIST assessment process forces the business to understand where their sensitive data resides and how well it is currently protected.
Businesses are often not as secure as they need to be…in the manufacturing realm we often see systems which were quickly and cheaply deployed in order to become operational. In many cases these business-critical systems were never secured properly. A proper NIST assessment reviews all systems and allows them to “stay on the radar” until secured.
Manufacturers are subject to “exfiltration” of their sensitive data due to the lack of proper controls. A single uncontrolled Office 365, Google Docs, or DropBox installation can easily bypass most of the organization’s security. As well, manufacturers have more Internet of Things (IoT) devices such as door controllers, security cameras, process controllers, robots, etc. than many businesses. These are key potential insecurities which have to be considered.
A NIST assessment will uncover insecurities internally with Active Directory, permissions, and operational policies. But it is also intended to examine every connection which can potentially be made to sensitive manufacturer data. This includes manufacturer client portals, web portals which the manufacturer uses to conduct business with partners and suppliers, and any “outsider” access to the manufacturer data.
The assessment also looks at the written policies for HR, information technology, and security as these provide the structure for how cybersecurity is executed. The “operational” policies such as Active Directory policies, password and lockout policies among many others are based upon these written policies. Ensuring the use of properly vetted and trained personnel, good information technology infrastructure and procedures, and solid information security are key to protecting the supply chain. Documenting and verifying a manufacturer’s vendor and supplier structure are also important as these relationships can impact security.
Going through the assessment process is smart business. Even if a manufacturer is not subject to NIST requirements, there are significant benefits to becoming NIST compliant, including protection of proprietary data, competitive advantage, and the ability to compete for government contracts if desired.
The NIST assessments are used to ensure each manufacturer has evaluated the key aspects of their information security. It should result in a map of where all sensitive business data resides, how it is protected, and how users of all types access it. It also provides the framework which will allow the manufacturer to prioritize and track their progress against the NIST security guidelines based upon business risk.
