Case Study
Construction & Engineering Industry
GAP Assessment and NIST SP 800-171 data privacy laws action plan for a Hawaii-based engineering firm
A Hawaii-based engineering company, involved in critical infrastructure projects for the State of Hawaii and the Department of Defense, faced increased compliance demands. To continue its participation in awarded contracts, the company needed to meet the stringent NIST SP 800-171 requirements and submit an SPRS score to PIEE.
To achieve this, the company required a comprehensive plan of action and milestones (POA&M) and a detailed system security plan (SSP). These documents needed to outline a clear roadmap for deploying adequate controls, ensuring proper governance, and implementing these controls across the organization. The goal was to demonstrate sustainable compliance and accountability to the Contracting Officers overseeing their projects.
The Challenge
The company collects and maintains Controlled Unclassified Information (CUI). CUI refers to sensitive information that, while not classified, requires protection and specific handling controls under applicable laws, regulations, and government-wide policies to prevent unauthorized access and dissemination. Examples include export-controlled technical data, critical infrastructure information, operations security details, and non-public personnel records. This information, while unclassified, requires protection to prevent unauthorized access and safeguard national security.
Protecting CUI is the responsibility of the Prime Contractor. If a breach occurs, or if a subcontractor under the Prime’s employ experiences a breach, it can preclude the Prime from participating in future projects. As the Prime brings in more personnel and more subcontractors, the potential risk of mishandling CUI increases, along with the risk of jeopardizing current and future contracts.
The company currently has an active compliance program in motion. However, implementation has been a challenge, and clear and confident guidance was requested to complete and demonstrate dedication to and capability of complying with the NIST 800-171 framework requirements stated in their contracts. To help achieve these goals, the company enlisted Cypac’s expertise to craft a roadmap to establish the necessary controls and implement them as soon as possible.
The Solution
The client urgently required an aggressive implementation timeline to receive payment and be awarded several Federal contracts. To help achieve this goal, Cypac collaborated closely with the client’s IT and management teams to assess the company's core business, IT infrastructure, and employee practices against the stringent requirements of the NIST SP 800-171 framework.
Our team conducted a comprehensive network assessment to inventory assets and identify vulnerabilities across client sites and external attack surfaces, including web services, job sites, and remote workers. We interviewed key stakeholders to identify activities that process CUI, documenting the client’s collection, storage, and access practices. We also worked with IT to review least privilege access policies, ensuring that only appropriate employees and subcontractors had access to necessary files and data.
An in-depth assessment process followed, evaluating each NIST control to determine compliance. For controls already met, we detailed the specifics of compliance. For unmet controls, we developed an implementation plan and timeline based on our extensive experience. Clients often struggle at this stage because simple yes/no evaluations are insufficient for compliance. The client's previous company had provided a pass/fail evaluation without the necessary guidance or documentation to achieve compliance.
To overcome this common hurdle, we provided a detailed, easy-to-understand action plan with implementation deadlines for each requirement. This was consolidated into a System Security Plan (SSP) and a Plan of Action and Milestone (POA&M) document, demonstrating the organization’s commitment to compliance to the Contracting Officer.
The assessment process, step-by-step implementation plans, and document generation were completed in 2-3 in-person sessions using Cypac’s proprietary software, developed in-house to solve this unique problem for clients. The software stores assessments for review, comparison, and re-assessment and allows clients to monitor their progress at any time.
A critical piece of information for the client was the Supplier Performance Risk System (SPRS) score, a numerical value calculated based on the number of controls met, each with different weighted values. A negative score, common at the beginning of assessments, negatively impacts the SPRS score.
If the awarded contract requires it, the self-assessed SPRS score must be submitted to the Procurement Integrated Enterprise Environment (PIEE) website to continue participation. A poor or negative score may affect the organization’s ability to continue working on the contract or to be awarded future contracts.
The Impact
The activities carried out by Cypac provided valuable insights into what the client needed to do to achieve compliance and continue participating in Federal work. This transparency allowed the client to pinpoint potential risks related to employee activities, core business operations, and privacy regulations.
With this comprehensive understanding, we helped the client establish detailed privacy controls, policies, standard operating procedures (SOPs), and an employee security awareness training program. Additionally, we modernized their infrastructure to enhance security by implementing proper endpoint security, content filtering, 24x7 Security Operations Center (SOC) live protection, system management, data backup services, and end-user support. These measures ensure that the safeguards and infrastructure investments remain functional and enforced. This comprehensive solution now forms the foundation of a robust compliance program that addresses current regulatory requirements and proactively meets new privacy regulations. Throughout the process, we worked as a trusted partner, collaborating closely with the client to accomplish these tasks within an aggressive timetable.
After implementation, we re-assessed the client using the NIST 800-171 framework and generated an updated SPRS score for submission. The score improved from a deeply negative value to an almost perfect, positive SPRS score, much to the client’s relief. Seeing our collaborative efforts result in tangible outcomes that benefit our clients and ensure their adherence to privacy regulations is always rewarding.