Who is impacted?
U.S. Federal agencies and their vendors, subcontractors, states and companies receiving federal funding.  Many states have also mandated National Institute of Standards and Technology (NIST) compliance.
Failure to comply with NIST will result in loss of government funding and contracts.  Additionally, organizations are exposed to criminal liability, civil penalties, and contractual liability (Breach of contract, False Claims Act, Liquidated Damages, Termination for Default, Termination for Convenience).
Key takeaways:
NIST Special Publications 800-53 and 800-88 specifically outline proper data control and proper media sanitization:

  • Organizations must use a written media destruction process to Track, Contain, Dispose, Document, and Verify all data bearing media (NIST MP-6(1) Media Sanitization Requirements)
  • Risk compliance officers must adopt processes that emphasize risk mitigation (NIST 800-30)
  • Data cannot leave the customer’s 4 walls (NIST 800-53 & 888 Security Controls) If data leaves customer’s 4 walls, contractor must accept 100% liability for data security in legally binding contract OEM’s specifically do not accept such liability in their contracts Effectively data must be destroyed within the 4 walls
  • Media destruction cannot occur unless 2 technically qualified individuals conduct the task (NIST MP-6(7) Media Sanitization- Dual Authorization)
  • A written cyber security framework and only working with certified vendors NIST and ISO require vendors to be vetted and certified
White Paper | May 2020 QUICK LINKS: