Leadership should think of cybersecurity ‘compliance’ as being able to prove security to people who matter. Providing such proof should be as close to routine and painless as possible. Providing security to protected information is a function of people, processes, and technology—and technology is often the least difficult component to implement. Proving security requires repeatability, evidence gathering and curating and awareness by the organization’s people.
Too many explanations of compliance dive straight into the specifics of security framework X or security framework Y. This is natural for compliance specialists or business leaders who perceive of ‘compliance’ as something to be done once every 2-3 years. Far too few leaders think of cybersecurity with other long-duration mental models: defensive driving, preventive health, risk transfer/insurance, risk reduction. All of those mental models have value and help bridge the communication gaps between the ‘get it down,’ ‘security,’ and ‘compliance’ communities. In some ways, jumping straight into the specifics is akin to trying to assemble newly purchased Ikea furniture without opening the assembly instructions, checking that all the pieces and parts are present, and planning for more time than you think.
NIST 800-171 revision 2 focuses on establishing and maintaining the confidentiality of protected data. It does not address data integrity and data availability—topics left to its much bigger relative NIST Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations. NIST 800-171 enumerates 320 assessment objectives spread across the 110 requirements that are themselves spread across 14 control families. A significant percentage of those objectives and requirements are NOT technology centric. The objectives and requirements require an organization to have policies, procedures, processes, and checklists—implicitly the business operations community should drive documenting operational requirements. Those written artifacts help establish systemic and repeatable patterns of behavior for protecting access to and use of sensitive and/or protected information across entire organizations—not just inside the ‘IT Shop.’ In effect, the entire organization must write what it does, do what it writes, and be able to prove it.
The Department of Defense (DoD) and the National Institute of Standards and Technology (NIST) released Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations in 2016. The DoD also published rules in the Defense Federal Acquisition Regulation Supplement (DFARS) that required vendors with DoD contracts to implement the security requirements of 800-171. Since then, NIST and DoD has continued evolving and working to reduce the quantity of unclassified information flowing to nation-state competitors and foreign industrial competition.
No matter what framework an organization chooses, the differences are more in scope and scale than foundations. The foundations remain, write what you do, do what you write, and be able to prove it.