Federal Standard Should Be Implemented Across All Industries

Becoming a Department of Defense (DoD) contractor is no easy task. While your organization may be great at what it does, there are hundreds, if not thousands of other organizations vying for the same contracts. Thankfully, the DoD has developed a simple strategy for pruning the number of viable contractors to a reasonable number. That strategy is called DFARS.  
DFARS stands for Defense Federal Acquisition Regulation Supplement. To put it simply, DFARS is a government regulation that requires DoD government officials and their associated contractors to follow Department of Defense specific acquisition regulations when engaging in the procurement process for goods and services.  
While DFARS is lengthy on its own, the driving force causing so many contractors to scramble is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 standard. This standard provides guidance on protecting Controlled Unclassified Information (CUI) in nonfederal information systems and organizations. By December 31, 2017, any DoD contractors forced to adhere to DFARS must also comply with the security requirements outlined in the NIST SP 800-171 standard.  
As DoD contractors rush to implement NIST’s standard and submit any necessary paperwork to the DoD before the end of 2017, other industries should be taking notice. While the NIST SP 800-171 standard was developed for nonfederal information systems, it serves as a well-structured, fundamental framework for securing information systems across most, if not all industries.  
The SP 800-171 standard requires organizations to implement basic security controls, such as password and automatic screen-lock policies, as well as more advanced controls, such as multi-factor authentication for network and local access to information systems. While some security requirements may be overkill and unnecessary for most organizations, much of the SP 800-171 standard should serve as a guiding light for any organization that values the confidentiality, integrity, and availability of their information systems, their data, and their clients’ data. 
Since most regulatory standards fail to require organizations to implement the necessary administrative, physical, and technical controls that comprise a solid information technology and cybersecurity foundation, we often base our assessments off the SP 800-171 security requirements, in addition to the requirements of whichever regulatory standard we are conducting an assessment for. This allows us to ensure we are providing our clients with the necessary information, guidance, and skills required to ensure their overall security posture remains strong, despite the constantly in flux threat landscape. 
To all the DoD contractors out there, I know it is no easy task to comply with everything the government can throw at you. To all other organizations, especially those who have never conducted an assessment, I recommend reviewing the SP 800-171 standard, and conducting a risk assessment. A well conducted risk assessment can be an eye-opening experience and will allow you to further enhance your overall security posture, thus helping to ensure continued regulatory compliance.