Standard Compliance for NIST 800-171
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 provides the requirements for protecting controlled unclassified information (CUI), as recommended by the US federal government.
Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 required defense contractors to implement NIST 800-171 as of November 30, 2020.
This process ensures that contractors provide the security needed to protect CUI as specified in their contracts. Achieving NIST 800-171 compliance can be challenging, as it requires a deep understanding of your information systems’ infrastructure, processes and procedures.
NIST has also stated that working with a consultant that has a thorough knowledge of NIST 800-171 is likely the most important step in meeting DFARS requirements. The right partner can help contractors implement a comprehensive NIST 800-171 compliance solution by assessing business risk, documenting practices, writing policies, and implementing technology.
These steps help government contractors put a security program into place that will meet the increasing demand by the Defense Industrial Base’s (DIB) for protecting sensitive government information.
In this guide to NIST 800-171, we will provide an overview of NIST 800-171 and steps your organization can take to stay compliant, as well as advisory and assessment solutions that can help make you NIST compliance
What is NIST 800-171?
NIST SP 800-171 is a set of guidelines for protecting CUI that’s stored, transmitted, or processed by non-federal organizations. Contractors that want to do business with the US Department of Defense (DoD) must usually handle data that requires them to comply with NIST 800-171 standards. NIST SP 800-171 compliance ensures that these contractors provide the necessary protection for CUI.
NIST was founded in 1901 as part of the US Department of Commerce and is one of the country’s oldest physical science laboratories. Congress established it to improve the US’s measurement infrastructure, which lagged behind economic rivals like the UK and Germany. This shortcoming posed a significant challenge to the US’s industrial competitiveness at that time.
Since then, NIST has provided standards and measurements for numerous products and services that rely on technology in some way, including atomic clocks, advanced nano-materials, electronic health records, and electric power grids.
How to Stay NIST 800-171 Compliant
Achieving NIST 800-171 compliance generally involves meeting its recommendations for protecting CUI. NIST 800-171 describes fourteen control families for these requirements, which provide detailed information on each control.
This information allows DoD contractors to interpret the requirements for specific mission contexts, operational environments, business requirements, and risk assessments. Contractors can implement any solutions that comply with NIST 800-171, whether directly or outsource that responsibility to a managed service provider.
Contractors are required to describe the ways in which they meet each NIST 800-171 requirement in a System Security Plan (SSP). The SSP also describes related issues such as system boundaries, operational environments, and the relationships between each of the contractor’s systems.
Additional elements of the SSP include the procedures for addressing known and anticipated threats. If a contractor hasn’t yet implemented a security requirement, it must also develop a plan of action and milestones (POAM) describing how it will do so. An SSP and POAM may be part of the same document or separate documents.
The 14 security controls described in NIST 800-171 consist of the following:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
Access Control
Access control measures prevent unauthorized entities from accessing a system, process, or device. These policies can be based on identity or role and may include control matrices and cryptography. Access control applies to both active users and processes acting on behalf of users and passive objects such as devices, domains, records, and files.
An organization can implement the mechanisms that enforce this security control at both the application and service levels. NIST 800-171 discusses access control in greater detail, especially the differences between privileged and non-privileged access.
Awareness and Training
Awareness and training controls ensure users are aware of the security risks their activities pose, including policies, procedures, and security standards. Contractors determine the frequency and content of these measures based on their specific requirements and systems their personnel can access.
Security awareness and training content should provide a basic understanding of the importance of user actions concerning information security, including the expected response to security incidents.
Specific techniques for security training include formal training, notices from officials within the organization, and materials with security reminders. Contractors may also promote security awareness with special events dedicated to this purpose.
Audit and Accountability
Audit and accountability controls create audit logs that monitor, analyze, investigate and report unauthorized system activity. Contractors must also be able to identify the event type related to system security and operating environment for auditing purposes. Events of particular interest include failed logins, password changes, use of administrative privileges, and use of third-party credentials.
The events that require logging primarily depend on the security requirements for the specific CUI that the contractor handles, although other system requirements can also be a factor. For example, the contractor may have the technical capability of logging all file accesses but decide not to in consideration of system performance.
Configuration Management
Configuration management controls establish baseline configurations for systems throughout their lifecycle, including organizational inventories for hardware, software, and firmware. Contractors must document these configurations and conduct formal reviews based on predetermined specifications.
Baseline configurations also include information on system components such as model numbers, version numbers, updates, and patches. Network topology and the logical relationship of components within the system architecture are also part of configuration management.
Identification and Authentication
Controls for identification and authentication identify users and processes and devices acting on behalf of users. Common methods for unifying such devices include Internet Protocol (IP) addresses, Media Access Control (MAC), and identifiers unique to a particular device. Individual identifiers are typically the username of the system account assigned to an individual, so managing individual identifiers doesn’t apply to shared accounts.
However, an organization may require unique identifiers for individuals in group accounts, typically where individual activity requires detailed accountability. Devices that require identifiers may be defined by type, device, or a combination of both properties.
Incident Response
The implementation of controls that handle security incidents depends on the system’s capabilities and its support mission. These controls are part of system processes, including their definition, design, and development. Contractors can obtain information related to incidents from various sources such as audit logs, network activity, and physical access.
Administrator reports and supply chain events are common sources for incident response controls. Effective handling of these controls requires coordination between many departments, including human resources, security, legal, operations, and procurement.
Maintenance
Maintenance controls address security issues related to the care of any system component, including hardware, software, and firmware. Both local and nonlocal entities may perform these activities, even if the components are directly associated with the processing or retention of data. Peripheral devices such as copiers, printers, and scanners are subject to maintenance controls.
Media Protection
Media protection controls deal with the physical control and storage of CUI media, including physical and digital media. Non-digital media primarily consists of paper and microfilm, while digital media includes compact discs, flash drives, hard drives, and video disks.
Access to media should generally be limited to individuals who need this information. For example, media containing design specifications should only be accessible by the project leader and members of the development team. Physical control measures may consist of a controlled media library with locked cabinets, desks, and drawers.
They also include regular inventories and maintaining accountability for stored media. For example, contracting organizations should ensure that they have procedures requiring individuals to check out and return media.
Personnel Security
Personnel security controls include procedures for screening individuals before granting them access to information systems that handle CUI. These activities generally involve evaluating an individual’s trustworthiness based on traits such as integrity, judgment, loyalty, reliability, and stability.
The screening process must also comply with the requirements of federal agencies regarding privacy, which can include legislation, as well as executive orders, directives, policies, and regulations. Screening should also be appropriate to the level of access the position requires, meaning that greater access requires greater scrutiny.
Physical Protection
Physical protection controls limit personnel’s physical access to an organization’s systems, equipment, and operating environments that aren’t publicly accessible. These controls apply to all personnel, whether their employees or visitors to the facility. Individuals with authorized access should have credentials such as badges, ID cards, and smart cards, which must comply with applicable laws, directives, policies, and regulations.
Equipment that requires physical protection under NIST 800-171 includes computing devices and associated hardware such as monitors, printers, external disk drives, and network equipment. It may also include equipment that isn’t directly related to computers like scanners, fax machines, and copiers. In some cases, limiting physical access to these devices may involve placing them in locked rooms or some other type of secured area that ensures only authorized personnel can use them.
Risk Assessment
Risk assessment controls require the contractor to periodically assess the security risks that handling CUI pose to its operations, including functions, images, mission, and reputation. Analyzing these risks involves considering various factors such as the specific threat, the vulnerabilities it exploits, the likelihood of its occurrence, and the scope of its impact.
Risk assessments must also examine the external parties that could pose a threat such as service providers, vendors, and subcontractors. Contractors may conduct risk assessments at any organizational level and phase of the system’s life cycle.
Security Assessment
Security assessment controls perform periodic assessments of the contracting organization’s NIST 800-171 controls. This assessment is part of the development lifecycle for the contractor’s systems that handle CUI. Assessing the implemented controls helps ensure that safeguards and countermeasures operate as intended.
They also help identify vulnerabilities early in the system’s development and provide the information needed to risk management and remediation. The SSP should document the security assessments contractors perform on implemented controls.
System and Communications Protection
Controls protecting systems and communications apply to information that a system transmits or receives, whether at an internal or external boundary. System and communications controls can monitor and protect boundary components by restricting interfaces or prohibiting them entirely. These components include firewalls, gateways and routers, encrypted titles, and virtualized systems.
For example, a router protecting a firewall is a shared boundary for systems that handle CUI. The process of restricting or prohibiting an interface can apply to communications with web servers and external traffic, typically when that traffic appears to be spoofing an internal address.
System and Information Integrity
System and information integrity controls identify system flaws and correct them in a timely manner. They also report the vulnerabilities resulting from these flaws to the appropriate personnel. System components protected by these controls include security updates such as hotfixes, patches, and service packs.
Contractors also use these controls to address their flaws during other activities such as security assessments, incident responses, and continuous monitoring. This process includes using resources such as the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) databases.
NIST 800-171 Advisory Solutions
NIST 800-171 advisory solutions provide specific capabilities such as supporting scope and gap analysis for particular information systems or entire organizations.
They can also generate reports to support scoping decisions and regulatory compliance determinations. In addition, these solutions support applicable security controls as specified in a contract.
Other capabilities of NIST 800-171 advisory solutions include the support of documentation such as SSPs, Plan of Action and Milestones (POA&Ms), and creation of responsibility matrices
Our professionally-engineered security solutions are affordable, editable, and scalable. Schedule a free consultation today with our cybersecurity experts and find out how Cuick Trac can efficiently provide you with advisory solutions.
NIST 800-171 Assessment Solutions
NIST 800-171 assessment solutions can evaluate government contractors’ security controls and other cybersecurity requirements. They can also monitor and validate POA&Ms and continuously monitor NIST 800-171 compliance.
Some assessment solutions can recommend actions for achieving compliance requirements for IT systems within the scope of a contract.
The Cuick Trac assessment services is a guided engagement to review and identify what is met, partially met, and not met. Using that information, Cuick Trac delivers a moment-in-time compliance progress report, data flow analysis, list of recommendations, and road map to meeting full compliance, along with an updated SPRS score.
Why choose our NIST 800-171 compliance services?
As of 2017, the US government agencies require their suppliers to comply with NIST controls to store and protect CUI, which will eventually include the emerging Cybersecurity Maturity Model Certification (CMMC). Many of these suppliers are small and medium-sized businesses (SMBs) that are subcontractors to a larger prime contractor.
SMBs often find it extremely difficult, expensive, and time-consuming to implement the solutions that will meet the compliance needs for their contracts, including requirements for protecting CUI. On the other hand, failure to comply can result in fines and the loss of the contract, which often means closing the business in the case of SMBs.
The market is littered with solutions claiming to provide NIST 800-171 compliance, but none of them are all-encompassing. Cuick Trac brings these solutions together to ensure contractors meet all NIST requirements in a cost-effective manner that SMBs can afford.
This capability allows SMBs to continue growing their business by winning contracts with the federal government with confidence, while still focusing on their core competencies instead of cybersecurity.
Cuick Trac has helped federal contractors assess their CUI data since its inception by helping them identify vendors to meet the 110 controls described in NIST 800-171.
Talk with a NIST compliance solution advisor today
Contractors who want to do business with the federal government must demonstrate their ability to protect CUI, whether they’re competing for a contract or are already working under an existing contract.
NIST 800-171 describes the cybersecurity capabilities that contractors must have, although it doesn’t require or even advise a particular solution, as it’s a set of non-prescribed control the fact that the implementation of NIST 800-171 is left open to contractors is particularly challenging for SMBs, which typically lack the resources and expertise needed to achieve NIST compliance by themselves.
Furthermore, the need for compliance is still new, so no single solution can meet all of its requirements because NIST 800-171 requires a combination of technical, administrative, and physical controls to complete a fully compliant program
At Cuick Trac, we offer NIST compliance and security experts to help contractors determine which solutions they will need to achieve complete NIST compliance.
Contact us today for more information or complete the online form to get access to a complete Cuick Trac demo.
Learn how Cuick Trac, a private hosted, virtual enclave can help you pass NIST 800-171 compliance in 14 days