Everything You Need To Know About NIST 800-171

Does your company deal with the Federal Government?

14:50 29 September 2020

Find out the urgent message the National Institute of Standards and Technology has for you.

 

If you are reading this article, it’s probably safe to say you already know a thing or two about the significance of complying with regulatory standards, especially if your business is under contract with a Federal agency.

 

As a leading managed IT services provider, we know the crucial role your data record handling practices play in maintaining the trust of contractors, vendors, partners, and clients.

 

Even if your organization is neither a federal contractor nor a subcontractor, the NIST 800-171 (also known as NIST SP 800-171) is still an applicable data security standard. But what does it look like? And how can you tell whether your company is being compliant with NIST 800-171?

 

Okay, enough talk. Let’s dive into it! Greg LaScala offers CMMC consulting to organizations across the United States and shares insights into NIST.

 

What Is Controlled Unclassified Information (CUI)?

 

We can’t begin discussing NIST 800-171 without first defining what Controlled Unclassified Information (CUI) is. In simple terms, CUI refers to data that, despite not being classified under federal law, is still sensitive and of interest to the United States. Does this include a list of Special Ops operating behind enemy lines? Of course not! Instead, it has more to do with data covered by HIPAA or SOX, for instance.

 

It is each agency’s responsibility to communicate the details of which information it considers CUI to the National Archives and Records Administration. This is the executive agent tasked with the creation and enforcement of standards for unclassified data. Each agency needs to create a public registry of the types of data that constitute CUI while clearly defining their reasons.

 

Let us take the “financial” category, for example, which contains sub-categories that relate to the roles of financial institutions and U.S. fiscal functions, such as:

 

• Electronic fund transfers
  
  
• Mergers
  
  
• Contractor registration
  
  

What Is NIST 800-171?

 

NIST 800-171 is short for the National Institute of Standards and Technology Special Publication 800-171 that governs CUI in non-federal information systems and organizations. It’s primarily aimed at safeguarding and distributing data that is considered sensitive but not classified.

 

NIST SP 800-171 initially started as Executive Order 13556. President Obama signed this document in 2010, following several well-documented breaches in Federal Agencies. EO 13556 directed all federal agencies to safeguard their sensitive, unclassified information and established an integrated policy for data sharing and transparency.

 

After the data breaches, the federal government stepped up cybersecurity regulations by passing FISMA. NIST followed soon after with NIST 800-53, and later on, NIST 800-171.

 

Who Needs to Comply With NIST 800-171?

 

Briefly put, if your organization processes, stores, or transmits CUI for any federal or state agencies, you have to meet NIST 800-171 standards. The process of achieving compliance with NIST 800-171 standards can be a long, drawn-out process taking around 6-8 months.

 

However, failure to become compliant with these guidelines could result in severed contracts or damaged relationships.

 

If you still aren’t sure, here’s a list of organizations that need to comply with NIST 800-171:

 

• Contractors for the Department of Defense (DoD)
  
  
• Contractors for the National Aeronautics and Space Administration (NASA)
  
  
• Contractors for General Services Administration (GSA)
  
  
• Consulting companies with federal contracts
  
  
• Universities and research institutions supported by federal grants
  
  
• Manufacturers and service providers supplying goods and services to federal agencies
  
  

What Are the Compliance Requirements?

 

Similar to its companion document (NIST 800-53), NIST 800-171 provides a list of controls that describe its compliance requirements:

 

1. Access Control: Who is authorized to view this information?
   
   
2. Awareness and Training: is your staff properly trained on how to handle CUI?
   
   
3. Audit and Accountability: Do you document who accesses CUI?
   
   
4. Configuration Management: Do you follow RMF guidelines to ensure secure configurations and manage change?
   
   
5. Identification and Authentication: Do you manage and audit access to CUI?
   
   
6. Incident Response: What are your procedures in case of a breach?
   
   
7. Maintenance: What are your standard maintenance timelines, and who is responsible?
   
   
8. Media Protection: How are hard copy and digital records stored?
   
   
9. Physical Protection: Who can access the place your CUI is stored?
   
   
10. Personnel Security: How are staff screened before being granted access?
    
    
11. Risk Assessment: Do you test and verify your defenses in simulations? Have you conducted a risk assessment?
    
    
12. Security Assessment: Do you need to improve existing security procedures?
    
    
13. Systems and Communications Protection: How secure are your communication channels?
    
    
14. System and Information Integrity: How swiftly are new system vulnerabilities identified and addressed?
    
    

Looking for Reliable NIST 800-171 Compliance Support?

 

We help out organizations that are falling behind maintain compliance with NIST 800-171 through our wide range of technology solutions. Contact us now to get started.