NIST SP800-171 at Levison Enterprises
Levison Enterprises is proud to commit early to standards that improve our client’s data security.
In December 2016, the National Institute of Standards and Technology published new standards for all contractors and subcontractors for the United States Department of Defense (DoD). Implementation of the standards in NIST SP800-171 was required by December 31, 2017, and focused on safeguarding Covered Defense Information (CDI) and the reporting of cyber security incidents.
Levison Enterprises, NIST SP800-171 Early Adopter
By the summer of 2017, Levison Enterprises was already compliant with the new standards. We are proud of our range of quality and safety standards and quickly saw the NIST SP800-171 standards as another way we could provide these for our manufacturing partners. We aim to be early adopters of all quality and safety standards and NIST SP800-171 was no exception.
NIST SP800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or Controlled Unclassified Information (CUI). The focus is on building cybersecurity by training attention onto how desktop and laptop computers, cell phones, tablets, servers and cloud storage system use, store and protect sensitive information.
At Levison Enterprises, we were already doing many of the standards required for NIST SP800-171 as part of other standards we already held, such as ITAR.
NIST SP800-171 at Levison Enterprises
As an electronic contract manufacturer (ECM) that is committed to quality, the NIST SP800-171 requirements fell in line with much of the work we were already doing out of good practice. We have always been and remain committed to increasing security for government and non-government contracts alike, so compliance was a natural step for Levison Enterprises.
Though there is no specific process for certifying, as a subcontractor for prime government contractors, Levison Enterprises committed to fully complying with NIST SP800-171. Like many quality certification standards, compliance means self-regulating and documenting adherence to the requirements.
This involved a third-party GAAP assessment and testing to meet specifications. Initial training and ongoing training keep Levison Enterprises connected with potential cybersecurity threats and ways to protect against them.
For Levison Enterprises, much of this work is focused on document control. While there are many guidelines within NIST SP800-171, this is the area most in line with our work as an ECM subcontractor.
Document Control at Levison Enterprises
Levison Enterprises works to continuously define Controlled Unclassified Information (CUI) as it relates to our business and the business of our partners. In many cases, there may not be clear guidance on what is CUI or not, so we work with our prime contractors to clarify for added precaution.
We have developed comprehensive Data Flow Diagrams (DFDs) to identify where CUI is stored and processed in our network system. Where possible, we prefer to segment CUI data away from all other data storage to help build better security for the CUI.
Levison Enterprises also maintains documentation regarding how, when, and where CUI controls are applied. These controls may be in the form of policies and procedures or they may be specific technology solutions that are created for specific types of data.
We pride ourselves in being able to support our commitment to this work. Levison Enterprises maintains documentation that details the steps we took and continue to take to obtain and maintain our NIST SP800-171 standards.
We have organized everything from security procedures, action steps, contingency plans and what people are responsible for which tasks. We have prepared these steps in part to be operating at a high level of compliance. More, we want to offer a secure and quality place for our manufacturing partners’ work.
NIST SP800-171 Levels
The NIST compliance system offers levels of adherence to help partners and contractors distinguish among manufacturers with various levels of commitment to the standards.
When NIST SP800-171 was first initiated, all contractors were at a Level 0. The scale ranges between 0-5, with 5 being the highest adherence to the standards.
Currently, Levison Enterprises operates at a Level 3, with goals of achieving higher rankings in the near future. Since there is no official auditing system for compliance, a higher ranking isn’t necessarily required. However, we believe in achieving the highest levels of all standards and believe in demonstrating that in whatever way possible.
In order to advance rankings, Levison Enterprises plans to provide a System Security Plan (SSP) among other recommended cybersecurity measures. The SSP, along with all the steps already taken, represents how we, as a company address security concerns as they relate to NIST SP800-171. We also believe in good security practice for all our contracts – government and non-government alike.
We believe it’s good business because we believe it’s what’s best for our partners’ projects. Contact Levison Enterprises to put your build in hands that believe in keeping your information secure.