The US government requires any third parties, partners, and contractors that process, store, or transmit sensitive, unclassified government information on its behalf to be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) cybersecurity standards. Examples of organizations that fall under this category are consultants, manufacturers, contractors for the Department of Defence, research institutions that get federal grants, universities, and service providers for government agencies.
NIST 800-171 standards are designed to protect sensitive information located on the IT systems and networks of federal contractors from unauthorized access. The standards were published in June 2015 by the National Institute of Standards and Technology (NIST) and have been updated over the years to tackle emerging cyber threats and ensure optimal protection and security of sensitive government information.
What is NIST 800-171
NIST 800-171 is a publication of the National Institute of Standards and Technology (NIST) that entails all the security practices and standards that are required of any organization that processes, stores, or transmits sensitive, unclassified information on the US government’s behalf.
Specifically, NIST 800-171 focuses on the protection of Controlled Unclassified Information (CUI) and works to safeguard confidential government information from getting into the wrong hands. Examples of this controlled, unclassified information include personal data, intellectual property, logistical plans, equipment specifications, and so on.
What is the Purpose of NIST 800-171
NIST 800-171 helps to define the practices of specific areas of cybersecurity controls that government contractors and subcontractors must adhere to when their networks handle CUI. The purpose of these standards is to ensure that no organization dealing with sensitive, unclassified government information sets vulnerable cybersecurity practices and procedures that may lead to a privacy breach.
By complying with the NIST 800-171 standards, government contractors and subcontractors will boost the resilience of the federal supply chain and safeguard Controlled Unclassified Information in the cyber space from cyberattacks.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) refers to any sensitive information owned or created by the government but not classified. Such information should be safeguarded and disseminated with controls consistent with Government-wide policies because a breach of the data can potentially disrupt national security and cause economic disasters.
Examples of CUI are:
- Personally Identifiable Information (PII) – such as social security number (SSN), passport number, taxpayer identification number, driver’s license number, etc.
- Proprietary Business Information (PBI) – such as data about inventions, patent applications, prototypes or devices, intellectual property holdings or strategy, etc
- Unclassified Controlled Technical Information (UCTI)
- Sensitive but Unclassified (SBU)
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES), and others.
What are the NIST 800-171 requirements used for CUI?
In total, the NIST 800-171 requirements used for CUI are 110 in number, and each of them tackles separate areas of an organization’s IT practices and procedures. These requirements cover areas such as access control, authentication procedures, and systems configuration. The requirements set the standards for cybersecurity procedures and as well incident response plans which help to effectively address network security incidents.
Each of the NIST 800-171 requirement work to strengthen different elements of the cyber network and collectively create a formidable defence against cybercriminals from accessing sensitive government information. They mitigate vulnerabilities and ensure that the organization’s staff, network, and systems are well prepared to adequately protect CUI.
14 Requirements Families of NIST 800-171
All the 110 NIST 800-171 security requirements are broadly divided into 14 families, with each family addressing specific cybersecurity topics and their practices. These 14 families work hand-in-hand to ensure the building of a resilient security system that protects CUI. The sectionalization of these requirements makes it easy for organizations to employ them and regularly assess their systems and networks for compliance.
The 14 requirement families of NIST 800-171 are:
1. Access Control
Access control requirements tackle access to networks, systems, and information. Under this family, there are 22 different requirements designed to help determine who has access to sensitive data and to keep unauthorized users restricted from the data. Also, access control requirements regulate the flow of sensitive information and protect it within the network, guiding network devices in the system.
2. Awareness and Training
The Awareness and Training family is governed by three requirements. Without proper awareness and training of the personnel in charge of the system, the cybersecurity system remains vulnerable, even if it’s built on the most robust technology. Awareness and Training requirements make managers, admins, and all others involved in the organization understand their duties towards preventing cyber threats and the risks related to these threats. Each individual understands what to do if there’s a data breach attempt and how to keep security at the top level.
3. Audit and Accountability
Nine requirements make up the Audit and Accountability family, which centres around auditing and reviewing the system and logged events. Routine auditing and accountability help to protect the system as it ensures that only the best policies and procedures are used at all times. This section also uncovers and mitigates potential cybersecurity incidents, keeping CUI out of the wrong hands.
4. Configuration Management
It’s essential to configure all the software, hardware, and devices on the organization’s network to meet the security requirements. Configuration management has nine requirements that help organizations ensure they are well configured to execute blacklisting, whitelisting, and the prevention of unauthorized installations and download of nonessential programs. This prevents any part of the system from being compromised or bringing in malicious software that can spy on the networks and systems.
5. Identification and Authentication
At any point, organizations handling CUI can determine the person using their devices and verify their identity before they gain total access to the system. There are 11 requirements in this family that ensure that every user gets authorized before accessing the system, and they also determine how much the person can access. The requirements encompass password and authentication procedures and policy, together with accurate identification of users.
6. Incident Response
Cyberattacks continuously evolve, and without adequate incident response, they may end up penetrating the system. There are three requirements that tackle incident response and put organizations steps ahead of attacks. These requirements help to detect and contain attacks before they penetrate the security. The incident response includes proper training of personnel, planning for an attack, as well as regular testing to determine the strength of the system. Security incidents will be documented and shared with the authorities to stay up-to-date with the current face of cyberattacks.
This family has to do with performing routine maintenance as it’s one of the ways to ensure the organization’s policies are up-to-date. The maintenance family has six requirements that provide insight into the most practical procedures for system and network maintenance. The requirements also help to replace outdated tools and techniques with recent, efficient ones, and that keeps the entire system completely secure.
8. Media Protection
Organizations must securely handle their external drives, backups, and backup equipment to achieve proper media protection. The media protection family features nine requirements that guide and control access to sensitive media. Following these requirements guarantee the best practice for the storage or destruction of sensitive data and media in either physical or digital formats.
9. Personnel Security
This family of requirements controls access to systems and networks by personnel, ensuring that everyone is screened ahead of time. Since personnel may be terminated or transferred over time, personnel security ensures that such personnel is restricted from their previous privilege, such as having access to CUI. Two requirements come under the personnel security family, and they work together to ensure the screening of individuals attempting to access the systems and the termination of access for personnel who are no longer part of the organization or have been transferred.
10. Physical Protection
As physical devices play a significant role in cybersecurity, the physical protection family of requirements regulates physical access to CUI in organizations. A compromise in physical access to CUI can be as detrimental as virtual access. This family has six security requirements that help to regulate the handling of hardware, devices, and equipment and limit them to authorized users. The requirements also control visitors’ access to the organization’s work sites and physical equipment to ensure they don’t breach privacy.
11. Risk Assessment
Two requirements fall in the risk assessment family of NIST 800-171, covering the analysis of systems’ performance and the strength of protection. Risk assessment. Organizations are required to regularly test and analyze systems for vulnerabilities and remediate them immediately. This helps to ensure that network devices and software are updated and maintain top security, thus effectively defending against cyber threats.
12. Security Assessment
Four requirements on the list deal with the monitoring, development, and renewal of system controls, as well as security plans. Organizations will assess their security and determine if there are any vulnerabilities in it. If any is detected, they immediately work towards blocking the loophole and strengthening protection. Doing this helps organizations set their systems to effectively tackle evolving cyber threats and determine loopholes before cybercriminals get to them.
13. System and Communications Protection
Communication is a core part of cybersecurity that need to be monitored, protected, and controlled. Whether internal or external communication, the transfer of information should be properly guided to prevent unintended transfers of sensitive information. Sixteen requirements make up the system and communication protection family, ensuring communication is executed as expected and with authorization. They also prevent the denial by default of network communication traffic and incorporate the best practice cryptography policies to protect sensitive government information.
14. System and Information
Lastly, seven requirements address continuous monitoring and protection of systems within the organization. The requirements help organizations identify, report, and correct system errors and restore normalcy as soon as possible. Also, they address the case of identifying and apprehending unauthorized access to information by users. Any unauthorized user who is caught assessing the system gets punished according to the laws governing the degree of invasion.
NIST 800-171 Compliance
All organizations that intend to deal with CUI must comply with NIST 800-171 before signing any contract or agreement with the US government. Without compliance, the US government will not deem such a contractor or subcontractor fit to handle CUI and will refuse to enter into an agreement.
NIST 800-171 compliance for defence contractors
Contractors that handle CUI as part of their duty for the Department of Defense (DoD) implement a points-based system to score their compliance with NIST 800-171. In this system, contractors conduct self-assessment of their cybersecurity against the 110 requirements as published in NIST 800-171. For every compliance to each requirement, they get one score and will get up to 110 if they fully comply with all the requirements. However, weighted penalty points (from -1 to -5) will be subtracted for every unimplemented or partially implemented requirement. In the end, the scores are recorded in the DoD’s Supplier Performance Risk System (SPRS) and are typically submitted before contract award or renewal.
Your NIST 800-171 Checklist & Best practices
Organizations looking to self-assess can follow the process below to scrutinize their security and determine the compliance level.
1. Together with senior information security stakeholders, create an assessment team that’d set an effective assessment plan, including the duration and objectives.
2. Begin an internal communication campaign to make employees aware of the project.
3. Create a contact list of individuals with relevant responsibilities, e.g., system administrators
4. Collect important documents, such as existing security policies, previous audit results and logs, system records and manuals, admin guidance documents, and system architecture documents.
5. Assess individual requirements in the NIST 800-171 publication and register a statement for each.
6. Create an action plan that illustrates how any unmet requirements will be met.
7. Include all the evidence for compliance in a System Security Plan (SSP) document
How To Prepare For a NIST 800-171 Assessment?
While NIST 800-171 self-assessment often seems complex for many organizations, following a step-by-step guide can help organizations prepare better and make the process a bit easier. To better prepare for your assessment, you need to do these five things.
1. Collect existing security practices and procedures.
2. Establish contact with key information security stakeholders.
3. Set the start and finish of the assessment.
4. Collect relevant material and previous audit results.
5. Communicate the project to all sectors of the organization.
If you’re looking to prepare for NIST 800-171 compliance, Computabilities can guide you through the complexities of the process and make your assessment a breeze. Reach out to us at 919-276-0282 or email [email protected].
Written By – Adam Pittman