If you’ve often asked, “what is NIST 800-171 and how does it applies to my organization?”, this NIST 800-171 compliance checklist will provide the answers. Here we identify the 14 main areas of focus within NIST SP 800-171, provide you with an 8-step process to achieve NIST compliance, and share 8 best practices when preparing for an audit. Combined, this makes up our NIST 800-171 compliance checklist.
NIST 800-171 was created to help government contractors and subcontractors minimize their cybersecurity risk, protect their networks, and secure controlled unclassified information (CUI). But NIST compliance requirements are complex, and there’s a lot of information out there on how to become compliant. This checklist should help clear up the misinformation.
The NIST 800-171 Compliance Checklist
In 2017, the National Institute of Standards and Technology (NIST) released Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This publication provided guidance on protecting unclassified information from unauthorized disclosure by implementing specific security requirements.
The first step toward completing the NIST 800-171 compliance checklist is understanding the 14 security families mentioned in NIST SP 800-171 and the purpose of each of these main focus areas when it comes to protecting CUI.
1. Access Control
Control who has authorization to your data by restricting access to each part of your network. If someone gets into a place where they don’t belong, you can automatically terminate their session and kick them out. In addition, you should limit how many unsuccessful login attempts each user gets in an effort to prevent hackers brute-forcing your server.
2. Awareness and Training
To handle the human side of things, your organization should focus on some awareness and training. A big part of cybersecurity revolves around the users. Ensure your staff knows the cybersecurity risks and how to mitigate them as they use devices on the network.
3. Audit and Accountability
When an event occurs, there might be an investigation. To save time and effort, you should have a consistent auditing and accountability portion of your business. This includes creating, reviewing, and retaining system-level logs and records. Create an alert in case the logging process fails.
4. Configuration Management
In this part of the NIST 800-171 compliance checklist, you should establish and maintain a series of configurations for all the systems within your organization. Having the right security configuration settings will make your business safer. Utilize policies like blacklisting, whitelisting, and restriction of nonessential programs and services.
5. Identification and Authentication
Your system needs to confirm the identity of all users before allowing access. In the cybersecurity world, this is called authentication and identification. It’s the process of verifying each user, device, and process that’s used. Implement multi-factor authentication for better results.
6. Incident Response
The first task is to create a process for handling incidents. This includes preparation, analysis, detection, recovery, containment, and user responses. From there, be sure to track and test your organization’s capabilities.
7. Maintenance
Regular maintenance will keep your network as secure as possible. When equipment is replaced or updated, wipe the removed equipment and remove all CUI. Whoever performs your maintenance, typically a system administrator should have to go through multiple identity checks to ensure the power doesn’t get transferred to the wrong person.
8. Media Protection
Personal media is a big weakness for most companies. USB flash drives can be used to upload malware, steal files, and gain access to your whole network. As such, you should protect your system from media like this. In addition, you’ll want to restrict CUI access via media. Any in-house media that’s used should be marked with the necessary CUI and their use should be controlled.
9. Personnel Security
The first step of personnel security involves a screening and background check of incoming employees. The final step is the removal of permissions when an employee gets terminated or transferred. They shouldn’t be able to access any CUI unless they are currently in a role that needs it.
10. Physical Protection
Physical interaction with servers, documents, and media is very dangerous. If a criminal can get physical access to a device on your network, they have a good chance of forcing their way into your network.
Whenever someone accesses a room that stores physical media, they should sign a log. All physical access devices should be controlled and properly managed.
11. Risk Assessment
Perform and maintain routine risk assessments. This will help you identify vulnerabilities that should be remediated as soon as possible.
12. Security Assessment
The same is true for your company’s security. You should have a robust plan of action for identifying, eliminating and reducing all vulnerabilities. Update the system security plans regularly to keep them up-to-date.
13. System and Communications Protection
It’s easy for an employee to accidentally share information with someone who doesn’t have the authorization to know it. Protecting incoming and outgoing communications is one way to combat this. Be sure to protect the confidentiality of all information that gets shared through encrypted messaging.
14. System and Information Integrity
When a flaw is noticed in the system, it should be identified, reported, and corrected. The system should be regularly monitored as a means to protect against malicious code or actions. Any unauthorized use of networked devices should be monitored and reported.
8 Steps to Achieve NIST 800-171 Compliance
The next phase of the NIST 800-171 compliance checklist is completing the following 8 steps. NIST 800-171 fills the gaps in areas where there aren’t specific laws from the federal government that say how CUI should be handled. The following 8 steps will help you establish security controls and security policies to safeguard your sensitive information, and help you meet NIST SP 800-171 compliance requirements.
Step 1: Identify CUI
To start, you need to fully understand what is controlled unclassified information. Next, you need to determine what level of CUI your company has by doing a full audit of your systems from the employee’s device all the way to the final user. This step is all about gathering as much data as possible and answering these questions: What kind of CUI do you have, where is it used, and how many devices access it?
Step 2: Categorize Your CUI Data
NIST 800-171 states that you need to categorize CUI. NIST outlines 20 approved categories which each has its own set of standards.
Step 3: Perform a Security Assessment
No matter how large your DoD contracting office is, you’ll need to build a strong security system. That starts with a security assessment. This will help you understand your current cybersecurity strength, find out your weaknesses, and understand the path forward.
Step 4: Develop Baseline Controls
Baseline controls will help you stay secure against external threats and provide you endpoint protection. These all go into your data protection strategy which can prevent a cyber event.
Step 5: Perform Ongoing Risk Assessments
It’s important to regularly perform risk assessments. This will document all the security measures you have in place and understand how you can protect your CUI from new threats.
Step 6: Document Your Security Plan
To comply with NIST 800-171, you need to have a written security plan. As you perform assessments, the plan will update, and each revision needs to be published with a date and revision number.
Step 7: Create a Response Plan
A response plan will outline how your business will react after a cyber event. In the unfortunate case that an event occurs, you will follow your system security plan (SSP) to ensure a timely and cost-effective return to operation.
Step 8: Educate Employees
After all of these steps are completed, you need to tell your employees. Having a staff that is well-versed when it comes to cybersecurity awareness will help to prevent an event in the future. When policies change, your employees should be informed.
NIST 800-171 Audit Preparation Checklist
The final phase of the NIST 800-171 compliance checklist is audit preparation. Audits will routinely happen from time to time. If you’re not prepared, you can wind up scrambling and wasting a lot of manpower trying to gather the right information. To avoid this, follow our audit preparation checklist below.
Step 1: Determine Your Compliance Scope
Your compliance scope will depend on the sensitivity and form of data that you deal with. As a DoD contractor, there’s a wide range. Some contractors have to deal with top-secret technological data, which puts them in a more stringent compliance level.
The best way to determine your compliance scope is with the help of a cybersecurity expert who understands NIST 800 171 compliance.
Step 2: Gather Documents
A lot of supporting documentation is required during an audit. Either create a folder with all the documents needed or have a written form that maps out where the data is.
You’ll need to produce documents like data flows, system architecture, system boundaries, anticipated changes, network mapping, and personnel information.
Step 3: Perform a Gap Analysis
A gap analysis will highlight the distance between your current configuration and the ideal configuration. In your case, it will show your current information security standards and compare them to the NIST-specified requirements.
Step 4: Document Control Gaps
Document control is the process of updating documents, their data, and the revision levels. When a document is out-of-date, the superseding document should be referenced. Failure to do this will show up as you produce this document control gap.
Step 5: Lay Out a System Security Plan
Your system security plan is an outline of how you plan to be cyber secure. A lot of this plan would be generated after finishing the NIST 800-171 Compliance Checklist section earlier.
Step 6: Create a Plan of Action & Milestones (POA&M)
When you notice a gap or vulnerability, it should be added to your plan of action. The purpose of a plan of action is to show stakeholders and auditors how you will eventually be NIST 800-171 compliant, how you’ll achieve a more robust cybersecurity system, and what you need to do in order to avoid a future cyber event.
Step 7: Monitor, Maintain, Test, and Improve Controls
A control is anything designed to stop a future cyberattack. In this part of the checklist, you’ll want to start by building a list of your controls. This list should be updated as your system updates. Be sure to regularly test it and whenever a vulnerability is noticed, improve your controls.
Step 8: Put Together Your Audit Trail
Finally, you’ll want to collate all the information you put together from this checklist. This will act as your audit trail. When an auditor approaches you, you will use this single document as a means to show the work you’ve done in order to stay NIST 800-171 compliant and the state of your cybersecurity system.
Make NIST 800-171 Compliance much easier with Cuick Trac
Once you complete the above NIST 800-171 compliance checklist, you’ll realize how important it is to comply with NIST standards. This compliance checklist will ensure you don’t miss out on federal contracts, and it will keep your business safer in the meantime.
Using this NIST 800-171 compliance checklist can help save you time and effort in the future, but if you’re like most small businesses, you may lack the time, money, and resources to build a fully compliant solution in-house.
That’s where Cuick Trac can help.
We’ve partnered with the most trusted third-party security providers to build a pre-configured, virtual enclave that provides end-to-end encryption for CUI, a DFARS/NIST 800-171 compliant firewall, multi-factor authentication (MFA) and more features than any of its competitors.
Even better, it’s fully customizable and can be configured in as little as 14 days.
Join us on a quick 30-minute demo to see how Cuick Trac works, and learn if it’s a fit for your organization. One of our product experts will walk you through the features you’re most interested in and answer any questions you have about NIST compliance.