facebook marketing

What is NIST 800-171 and how to stay compliant in 2023

NIST 800-172 2023 checklist

What is NIST 800-171 and how to stay compliant in 2023

Getting your Trinity Audio player ready...
Introduction

The US government requires any third parties, partners, and contractors that process, store, or transmit sensitive, unclassified government information on its behalf to be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) cybersecurity standards. Examples of organizations that fall under this category are consultants, manufacturers, contractors for the Department of Defence, research institutions that get federal grants, universities, and service providers for government agencies.

NIST 800-171 standards are designed to protect sensitive information located on the IT systems and networks of federal contractors from unauthorized access. The standards were published in June 2015 by the National Institute of Standards and Technology (NIST) and have been updated over the years to tackle emerging cyber threats and ensure optimal protection and security of sensitive government information.

What is NIST 800-171

NIST 800-171 is a publication of the National Institute of Standards and Technology (NIST) that entails all the security practices and standards that are required of any organization that processes, stores, or transmits sensitive, unclassified information on the US government’s behalf.

Specifically, NIST 800-171 focuses on the protection of Controlled Unclassified Information (CUI) and works to safeguard confidential government information from getting into the wrong hands. Examples of this controlled, unclassified information include personal data, intellectual property, logistical plans, equipment specifications, and so on.

What is the Purpose of NIST 800-171

NIST 800-171 helps to define the practices of specific areas of cybersecurity controls that government contractors and subcontractors must adhere to when their networks handle CUI. The purpose of these standards is to ensure that no organization dealing with sensitive, unclassified government information sets vulnerable cybersecurity practices and procedures that may lead to a privacy breach.

By complying with the NIST 800-171 standards, government contractors and subcontractors will boost the resilience of the federal supply chain and safeguard Controlled Unclassified Information in the cyber space from cyberattacks.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to any sensitive information owned or created by the government but not classified. Such information should be safeguarded and disseminated with controls consistent with Government-wide policies because a breach of the data can potentially disrupt national security and cause economic disasters.

Examples of CUI are:

  • Personally Identifiable Information (PII) – such as social security number (SSN), passport number, taxpayer identification number, driver’s license number, etc.
  • Proprietary Business Information (PBI) – such as data about inventions, patent applications, prototypes or devices, intellectual property holdings or strategy, etc
  • Unclassified Controlled Technical Information (UCTI)
  • Sensitive but Unclassified (SBU)
  • For Official Use Only (FOUO)
  • Law Enforcement Sensitive (LES), and others.

What are the NIST 800-171 requirements used for CUI?

In total, the NIST 800-171 requirements used for CUI are 110 in number, and each of them tackles separate areas of an organization’s IT practices and procedures. These requirements cover areas such as access control, authentication procedures, and systems configuration. The requirements set the standards for cybersecurity procedures and as well incident response plans which help to effectively address network security incidents.

Each of the NIST 800-171 requirement work to strengthen different elements of the cyber network and collectively create a formidable defence against cybercriminals from accessing sensitive government information. They mitigate vulnerabilities and ensure that the organization’s staff, network, and systems are well prepared to adequately protect CUI.

14 Requirements Families of NIST 800-171

All the 110 NIST 800-171 security requirements are broadly divided into 14 families, with each family addressing specific cybersecurity topics and their practices. These 14 families work hand-in-hand to ensure the building of a resilient security system that protects CUI. The sectionalization of these requirements makes it easy for organizations to employ them and regularly assess their systems and networks for compliance.

The 14 requirement families of NIST 800-171 are:

1. Access Control

Access control requirements tackle access to networks, systems, and information. Under this family, there are 22 different requirements designed to help determine who has access to sensitive data and to keep unauthorized users restricted from the data. Also, access control requirements regulate the flow of sensitive information and protect it within the network, guiding network devices in the system.

2. Awareness and Training

The Awareness and Training family is governed by three requirements. Without proper awareness and training of the personnel in charge of the system, the cybersecurity system remains vulnerable, even if it’s built on the most robust technology. Awareness and Training requirements make managers, admins, and all others involved in the organization understand their duties towards preventing cyber threats and the risks related to these threats. Each individual understands what to do if there’s a data breach attempt and how to keep security at the top level.

3. Audit and Accountability

Nine requirements make up the Audit and Accountability family, which centres around auditing and reviewing the system and logged events. Routine auditing and accountability help to protect the system as it ensures that only the best policies and procedures are used at all times. This section also uncovers and mitigates potential cybersecurity incidents, keeping CUI out of the wrong hands.

4. Configuration Management

It’s essential to configure all the software, hardware, and devices on the organization’s network to meet the security requirements. Configuration management has nine requirements that help organizations ensure they are well configured to execute blacklisting, whitelisting, and the prevention of unauthorized installations and download of nonessential programs. This prevents any part of the system from being compromised or bringing in malicious software that can spy on the networks and systems.

5. Identification and Authentication

At any point, organizations handling CUI can determine the person using their devices and verify their identity before they gain total access to the system. There are 11 requirements in this family that ensure that every user gets authorized before accessing the system, and they also determine how much the person can access. The requirements encompass password and authentication procedures and policy, together with accurate identification of users.

6. Incident Response

Cyberattacks continuously evolve, and without adequate incident response, they may end up penetrating the system. There are three requirements that tackle incident response and put organizations steps ahead of attacks. These requirements help to detect and contain attacks before they penetrate the security. The incident response includes proper training of personnel, planning for an attack, as well as regular testing to determine the strength of the system. Security incidents will be documented and shared with the authorities to stay up-to-date with the current face of cyberattacks.

7. Maintenance

This family has to do with performing routine maintenance as it’s one of the ways to ensure the organization’s policies are up-to-date. The maintenance family has six requirements that provide insight into the most practical procedures for system and network maintenance. The requirements also help to replace outdated tools and techniques with recent, efficient ones, and that keeps the entire system completely secure.

8. Media Protection

Organizations must securely handle their external drives, backups, and backup equipment to achieve proper media protection. The media protection family features nine requirements that guide and control access to sensitive media. Following these requirements guarantee the best practice for the storage or destruction of sensitive data and media in either physical or digital formats.

9. Personnel Security

This family of requirements controls access to systems and networks by personnel, ensuring that everyone is screened ahead of time. Since personnel may be terminated or transferred over time, personnel security ensures that such personnel is restricted from their previous privilege, such as having access to CUI. Two requirements come under the personnel security family, and they work together to ensure the screening of individuals attempting to access the systems and the termination of access for personnel who are no longer part of the organization or have been transferred.

10. Physical Protection

As physical devices play a significant role in cybersecurity, the physical protection family of requirements regulates physical access to CUI in organizations. A compromise in physical access to CUI can be as detrimental as virtual access. This family has six security requirements that help to regulate the handling of hardware, devices, and equipment and limit them to authorized users. The requirements also control visitors’ access to the organization’s work sites and physical equipment to ensure they don’t breach privacy.

11. Risk Assessment

Two requirements fall in the risk assessment family of NIST 800-171, covering the analysis of systems’ performance and the strength of protection. Risk assessment. Organizations are required to regularly test and analyze systems for vulnerabilities and remediate them immediately. This helps to ensure that network devices and software are updated and maintain top security, thus effectively defending against cyber threats.

12. Security Assessment

Four requirements on the list deal with the monitoring, development, and renewal of system controls, as well as security plans. Organizations will assess their security and determine if there are any vulnerabilities in it. If any is detected, they immediately work towards blocking the loophole and strengthening protection. Doing this helps organizations set their systems to effectively tackle evolving cyber threats and determine loopholes before cybercriminals get to them.

13. System and Communications Protection

Communication is a core part of cybersecurity that need to be monitored, protected, and controlled. Whether internal or external communication, the transfer of information should be properly guided to prevent unintended transfers of sensitive information. Sixteen requirements make up the system and communication protection family, ensuring communication is executed as expected and with authorization. They also prevent the denial by default of network communication traffic and incorporate the best practice cryptography policies to protect sensitive government information.

14. System and Information

Lastly, seven requirements address continuous monitoring and protection of systems within the organization. The requirements help organizations identify, report, and correct system errors and restore normalcy as soon as possible. Also, they address the case of identifying and apprehending unauthorized access to information by users. Any unauthorized user who is caught assessing the system gets punished according to the laws governing the degree of invasion.

NIST 800-171 Compliance

All organizations that intend to deal with CUI must comply with NIST 800-171 before signing any contract or agreement with the US government. Without compliance, the US government will not deem such a contractor or subcontractor fit to handle CUI and will refuse to enter into an agreement.

NIST 800-171 compliance for defence contractors

Contractors that handle CUI as part of their duty for the Department of Defense (DoD) implement a points-based system to score their compliance with NIST 800-171. In this system, contractors conduct self-assessment of their cybersecurity against the 110 requirements as published in NIST 800-171. For every compliance to each requirement, they get one score and will get up to 110 if they fully comply with all the requirements. However, weighted penalty points (from -1 to -5) will be subtracted for every unimplemented or partially implemented requirement. In the end, the scores are recorded in the DoD’s Supplier Performance Risk System (SPRS) and are typically submitted before contract award or renewal.

Your NIST 800-171 Checklist & Best practices

Organizations looking to self-assess can follow the process below to scrutinize their security and determine the compliance level.

1. Together with senior information security stakeholders, create an assessment team that’d set an effective assessment plan, including the duration and objectives.

2. Begin an internal communication campaign to make employees aware of the project.

3. Create a contact list of individuals with relevant responsibilities, e.g., system administrators

4. Collect important documents, such as existing security policies, previous audit results and logs, system records and manuals, admin guidance documents, and system architecture documents.

5. Assess individual requirements in the NIST 800-171 publication and register a statement for each.

6. Create an action plan that illustrates how any unmet requirements will be met.

7. Include all the evidence for compliance in a System Security Plan (SSP) document

How To Prepare For a NIST 800-171 Assessment?

While NIST 800-171 self-assessment often seems complex for many organizations, following a step-by-step guide can help organizations prepare better and make the process a bit easier. To better prepare for your assessment, you need to do these five things.

1. Collect existing security practices and procedures.

2. Establish contact with key information security stakeholders.

3. Set the start and finish of the assessment.

4. Collect relevant material and previous audit results.

5. Communicate the project to all sectors of the organization.

Conclusion

If you’re looking to prepare for NIST 800-171 compliance, Computabilities can guide you through the complexities of the process and make your assessment a breeze. Reach out to us at 919-276-0282 or email [email protected].

Written By – Adam Pittman

5/5 - (2 votes)

Leave A Comment

All fields marked with an asterisk (*) are required

Marian Gatchalian

Service Development Representative

Marian Gatchalian is a dedicated Service Development Representative at Computerbilities. With a keen eye for detail and a passion for customer satisfaction, Marian plays a pivotal role in bridging the gap between clients and innovative IT solutions. Her expertise in understanding client needs and developing tailored service strategies has made her an invaluable asset to the Computerbilities team. Marian’s commitment to excellence and proactive approach ensures that every client receives top-notch support and services, driving the company’s mission of delivering reliable and cutting-edge IT solutions.

Eugene Matthew Uy

Customer Relationship Manager

Eugene Matthew Uy is a seasoned Customer Relationship Manager (CRM) with a passion for fostering strong client connections and driving business growth. Currently serving at Computerbilities, a leading technology solutions provider, Eugene excels in understanding client needs and delivering tailored solutions to enhance their experience.

With a background in customer service and relationship management, Eugene brings a wealth of experience to his role. His proactive approach and dedication to client satisfaction have earned him a reputation for building long-lasting partnerships. By leveraging his expertise in CRM systems and analytics, Eugene implements strategies to streamline communication channels, optimize processes, and anticipate client needs.

Pradeep Shetty

Sr. Accounting Specialist

Pradeep Shetty is a seasoned Senior Accounting Specialist at Computerbilities with a wealth of experience in financial management. With a keen eye for detail and a commitment to excellence, Pradeep ensures the smooth operation of financial processes within the organization. His expertise lies in budgeting, financial analysis, and compliance. Pradeep is known for his strong analytical skills and ability to provide strategic insights to drive business decisions. Dedicated to professional growth, he continuously seeks opportunities to enhance his knowledge and skills in accounting and finance. Pradeep is a valuable asset to the Computerbilities team, contributing to the company’s financial success with his expertise and dedication.

Sandilyan Muniswamy

Sr. Web Developer

Sandilyan Muniswamy is a seasoned Sr. Web Developer and Frontend Developer at Computerbilities with over a decade of experience in WordPress. His expertise lies in crafting dynamic and visually stunning websites, combining technical prowess with creative flair. Sandilyan’s proficiency extends across frontend development, ensuring seamless user experiences and captivating designs. With a passion for innovation, he constantly seeks out new trends and technologies to stay ahead of the curve. Sandilyan’s commitment to excellence and his depth of experience make him an invaluable asset to any web development project.

Bharat Parida

SEO Specialist

Bharat Parida is an adept SEO Specialist at Computerbilities, with extensive experience in optimizing web presence and driving online growth. Known for his ability to work both collaboratively and independently, Bharat continuously seeks to enhance his skills in the ever-evolving field of digital marketing. Passionate about new technologies and industry trends, he is dedicated to implementing innovative SEO strategies that increase visibility and engagement. Bharat is driven by the challenge of a competitive environment and is committed to contributing to the success of his team and company.

Sumit Rawat

System Administrator

Sumit Rawat is an experienced System Administrator at Computerbilities with several years in the IT industry. His core expertise includes Windows Server 2012, MS Exchange, Office 365 management, and network security. Sumit thrives in both team environments and solo projects, consistently seeking to enhance his skill set. Passionate about emerging technologies, he is continuously learning and exploring AWS, Azure, DevOps, and Python automation. Sumit is eager to contribute to a challenging and competitive environment that will allow him to further strengthen and expand his technical abilities.

Kapil Sirohi

IT Support Engineer

Kapil Sirohi is a skilled Network Engineer at Computerbilities, specializing in IT infrastructure management and security. He manages Symantec Antivirus servers, ensures network protection, and handles AD, DHCP, DNS, WDS, and WSUS services.

Kapil is proficient with Veeam for VM backup and restoration and excels in implementing AD roles, features, and group policies. He performs daily storage, log monitoring, server health checks, and critical service updates via WSUS.

His expertise includes resource monitoring, configuration management, and virtual machine creation and management. He administrates file servers, manages folder access, and handles user ID creation and deletion. Additionally, Kapil manages VM migrations, Hyper-V backups over SAN storage, server event logs, and resolves WDS and PXE boot issues.

 

Anju Pandey

Marketing Specialist

Anju Pandey is a seasoned business analyst with a robust track record in client relationships, business analysis, and relationship management for leading global technology companies. With four years of extensive experience across various sectors, including matrimony, education, and IT providers, Anju brings a wealth of knowledge and expertise to her role. Currently, she leverages her skills as a Marketing Specialist at Computerbilities, where she continues to drive impactful strategies and foster strong client connections.

Rolland Gomes

Operations Manager

Rolland Gomes is a seasoned Operations Manager with 19 years of dynamic experience in Delivery Excellence, Quality, and Process domains. With a robust background spanning BPO, Service Desks (ITES), and IT environments, Rolland brings a wealth of expertise to the table. Having spent over a decade in BPO and ITES sectors, he possesses an unparalleled understanding of BPO operations. Over the past 16 years, Rolland has been actively engaged with SaaS and Remote connection technologies, demonstrating his adaptability in the ever-evolving tech landscape.

Rolland is recognized for his strong analytical skills and unwavering commitment to enhancing organizational efficiency. As a dedicated team member, he prioritizes excellence and continually strives for improvement. Eager to contribute to organizational growth, Rolland is poised to join the leadership team at Computerbilities, where he aims to leverage his skills and knowledge to drive success and innovation.

Joseph Hobbins

Network Administrator

Joseph Hobbins is an experienced Network Administrator at Computerbilities with a demonstrated history of excellence in the information technology and services industry. He possesses a diverse skill set that includes HVAC, management, writing, network administration, and customer service. Joseph holds two Associate’s degrees from Wake Technical Community College, one in Information Technology and another in Heating and Air, Refrigeration Technology. His strong educational background and multifaceted expertise make him a valuable asset to the Computerbilities team.

Nitish Tiwari

Tech Lead

Nitish joined us in April 2021 as a Network Engineer. Nitish was brought up in Chandigarh, India but is originally from Uttarakhand, India. He previously worked as a System Administrator for SankalpIT and Technospecs Technologies and provided remote technical support to the US, UK, Australia MSPs. Nitish has experience with Backup, Antivirus, and RMM Technologies. He has a strong engineering background in Information Technologies and enjoys technical challenges while enhancing his knowledge to the next level. In his spare time, Nitish enjoys fitness and traveling (especially to the Himalayas mountains). A fun fact about Nitish is that he likes to listen to Romantic Songs and watching Web Series Thriller Movies. One of his favorites being “Money Heist.”

Chase Pittman

Technician

Chase Pittman joined Computerbilities in January 2018 as a Computer Support Technician. Chase was previously employed with Bon Appetit as a Chef for the SAS main campus in Cary, NC. He found himself wanting more of a career and took the opportunity to get into the IT Industry as a Computer Support Technician. Chase is now successfully continuing his education with CompTIA certifications and will continue to educate himself with other IT certifications as his career progresses. When not working, he has a passion for music and art and mechanically modifying vehicles. Chase is eager to advance his IT career and provide quality services for the Computerbilities client base.

Joel Stalcup

System Administrator

Joel Stalcup has been fascinated by computers since the first Apple became available to his family in the early 80’s. During his tenure in the Army, Joel worked with Logistics Clerks that utilized computer, satellite, and network equipment. With the high demand of IT issues in his office, Joel used his personal knowledge and the direction from the S6 communication IT support to resolve small network problems, mass software installation and upgrades, and printer issues. Due to injuries, Joel was medically retired from the Army after serving ten years’ active duty. After deciding to go to college for Information Technology Industry, Joel attended ITT Technical Institution in Durham, NC and received an Associate Degree in Network System Administrator. Currently he is pursuing additional Information Security education. In the summer of 2016 Joel began working at Computerbilities as a Network Engineer and Help Desk Support. Joel is married to Kristina Anzaldua-Stalcup, who is his support system and best friend and the father of five beautiful and intelligent children, three sons and two daughters.

Mark Mahar

Lead Engineer

Mark Mahar has been with Computerbilities since 2011. He graduated from ECPI University in Raleigh where he studied IT/Network Security, but his interest in computers started much earlier in his life. Mark grew up watching his mother work on computers for Cisco, and it was watching and helping her with different projects that first sparked his love for technology. Mark has training in all aspects of IT and help desk, such as: hardware replacement, active directory, servers, MS operating systems, routing & switching and cabling. When he isn’t working on computers, Mark loves to travel and spend time with his kids.

Adam Pittman

President

Adam Pittman is President of Computerbilities, Inc. and is a veteran Computer Technician and Network Engineer with more than 35 years of experience in the computer industry. Adam has worked with local and federal government agencies and with more than 2000 businesses in more than 100 industries, including companies such as Boeing, General Dynamics and the National Institute of Environmental Health Sciences. In 2006, Adam was the recipient of the Businessman of the Year award and received the Secretary of Defense Patriotic Employer Award in 2017. Computerbilities was named Best of Business Raleigh Business Services in 2013. In his spare time, Adam is passionate about Sailing and has sailed the British and U. S. Virgin Islands more than a dozen times.

Book a Discovery Call


I am wanting to discuss...