Stephane Nappo once said, “it takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
Some organizations, unfortunately, understand this to be true, as do some countries—including America. Just a few years ago, the United States suffered what is regarded as one of the worst cyber-espionage incidents ever, and security to protect the information flowing in and around our government bodies remains a large concern.
But that’s not to say steps haven’t been taken over the years to create security standards to protect our government and its dealings. NIST Special Publication 800-171 is one such step, a document that sets a high standard for protecting sensitive information that federal contractors must handle in their work with the government.
If you’re a federal contractor whose networks and IT systems involve this sort of data, you may need to be compliant with this framework. In this article, we’ll explore some of the different requirements and how you can get started with your compliance, as well as the relationship of this publication to other important compliance initiatives like FedRAMP or CMMC.
You’ll recognize if your organization needs to look into this further and if so, you’ll have a leg up on the requirements and where to begin.
Do You Need to Comply with NIST 800-171?
NIST SP 800-171 was born to help secure the range of external service providers American governmental departments rely on to operate, as many of these essential services result in the processing and storage of sensitive information.
More specifically, NIST SP 800-171 defines security requirements for protecting Controlled Unclassified Information (CUI) created or possessed by non-federal entities.
What is CUI?
Simply put, CUI is any non-public executive agency information, but here’s how you might determine if the data in your charge classifies as such. CUI is:
- Any data whose public release (or unauthorized disclosure) would negatively impact the agency of origin, including if aggregated with additional information.
- Prominently identified with specific markings:
- “CUI” will appear in document headers and footers.
- Not only that, but a CUI designation indicator will be included that specifies the organization that controls the information, any specific CUI designation that the information may fall into, dissemination specifications, and a point of contact for the information.
- Further detail concerning CUI markings.
Those likely to handle CUI and therefore may need to adhere to NIST 800-171 standards include:
- Defense contractors
- Systems integration service providers
- Financial, web, or communication service providers to the federal government
- Healthcare information processors
- Colleges, universities, or institutes that receive federal data or grants
These types of organizations that handle CUI in their relationship with the government—whether they’re prime contractors or subcontractors—must comply with the NIST SP 800-171 requirements, as should those hoping to do this kind of work.
What are the Requirements of NIST SP 800-171?
So, for those of you who this affects, what are these requirements?
NIST 800-171 features 110 requirements that are helpfully organized into 14 general security topics, or families. These families are broken out as follows:
To safeguard access to networks, systems, and information.
Awareness and Training
To ensure relevant personnel are aware of and trained on cybersecurity risks and procedures.
Audit and Accountability
To protect the storage of audit records for future analysis and reporting, including regular reviews of system security logs.
To confirm adequate installation and configuration of hardware, software, and devices within the relevant network.
Identification and Authentication
To distinguish privileged and non-privileged accounts and ensure authentication procedures and policies are in place so that only authenticated users can access the network or systems.
To verify there are response procedures in place in the event of a serious cybersecurity incident.
To ensure relevant systems receive maintenance that is protected and based on best practices.
To help control access to sensitive media that is in both physical and digital formats.
To safeguard CUI through security screenings of individuals before their accessing systems that contain CUI and adequate employee transfer/termination procedures where CUI is relevant.
To control physical access to CUI, including on work sites, hardware, devices, and equipment that are required to be limited to authorized personnel.
To ensure the regular performance of risk assessments that reveal vulnerabilities.
To validate that security plans are continuously monitored and further developed so that systems are regularly improved and remain effective.
System and Communications Protection
To protect systems and the transmission of information through cryptography policies to protect CUI, among other measures.
System and Information Integrity
To monitor the ongoing protection of systems using security alerts that aid in preventing unauthorized use of systems.
These 110 basic and derived requirements map back loosely to NIST SP 800-53 controls and control enhancements. Though NIST SP 800-53 controls are much more prescriptive than the NIST SP 800-171 security requirements, they can help provide a better understanding of what controls will meet these requirements.
NIST SP 800-171 and FedRAMP
While it is possible to be assessed against the 800-171 framework itself, this publication does tie in importantly to other, more prominent government compliance initiatives, including FedRAMP.
As noted above, the NIST SP 800-171 requirements are a subset (about 35%) of the overall NIST SP 800-53 controls that are required for FedRAMP, which is a necessity for any cloud service provider (CSP) seeking to provide cloud services to government agencies.
- If your cloud service is an IaaS, PaaS, or SaaS and you’re doing business with the federal government, you need to be FedRAMP Authorized regardless of the classification of data your systems/service facilitates.
- If you—not the government—operate the system that contains/uses CUI for the federal government, you’re subject to NIST SP 800-171 requirements.
- If you’re a contractor with the Department of Defense (DoD), specifically you’re required to comply with these requirements as mandated in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
NIST SP 800-171 and CMMC
Even given all that, NIST SP 800-171 has recently risen to further prominence because of its relevance to the new Cybersecurity Maturity Model Certification (CMMC), which has been developed to protect the particularly sensitive information—aka CUI—within the United States Defense Industrial Base (DIB).
Though it will be a new compliance requirement, the basis for CMMC is not “brand new”—this certification pulls from many existing sources, including NIST SP 800-171, to create a centralized and comprehensive framework for defense contractors. Before CMMC, compliance with NIST SP 800-171 allowed for a simple self-assessment to suffice—you could develop the required System Security Plan, but deficiencies in requirements met were allowed so long as you had a plan of action to remedy that.
That might’ve been enough to claim compliance with the publication, but CMMC is different and that might no longer be enough. Dependent on which of the different levels of compliance you choose to certify against, you may also need to be evaluated by a certified third-party assessment organization (C3PAO).
Is Your Organization Compliant?
Though perhaps not the most well-known publication from NIST, the importance of SP 800-171 and its requirements is growing thanks to the upcoming codification of CMMC that many organizations continue to prepare for. Now that you understand its areas of concern—including the type of data and requirement families, you’re in good shape should you need to get started with compliance.
Performing a gap assessment of your current information security program can further assist in determining how what you have in place aligns with the NIST SP 800-171 security requirements. But if you still have some questions about this publication—or any of the other prominent ones from NIST—please feel free to reach out to us. Our team of experts is well-versed in the many, many details involved in government compliance and would love to help you ease any concerns you may have.
About the AuthorMore Content by Stephen Halbrook