What is NIST SP 800-171? How to stay compliant in 2021
Any organization that processes or stores sensitive, unclassified information on behalf of the US government is required to be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) cybersecurity standards. This may include contractors for the Department of Defense, universities and research institutions that receive federal grants, or organizations providing services to government agencies.
NIST 800-171 sets standards for safeguarding sensitive information on federal contractors’ IT systems and networks. By requiring best-practice cybersecurity processes from government contractors, the resilience of the whole federal supply chain is strengthened. NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.
Compliance with NIST 800-171 is a contractual obligation for contractors handling CUI on their networks and these organizations are expected to conduct self-assessments to determine and maintain compliance. So, it’s important that the requirements are fully understood and assessed. This guide explores NIST 800-171, what it consists of, and the steps to become compliant with it.
What is NIST 800-171
NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. It was first was published in June 2015 by the National Institute of Standards and Technology (NIST), which is a US government agency that has released an array of standards and publications to strengthen cybersecurity resilience in both the public and private sectors. NIST 800-171 has received regular updates in line with emerging cyber threats and changing technologies. The latest version (Revision 2) was released in February 2020.
What is the purpose of NIST 800-171?
The cybersecurity requirements within NIST 800-171 are designed to safeguard CUI in the IT networks of government contractors and subcontractors. It defines the practices and procedures that government contractors must adhere to when their networks process or store CUI. NIST 800-171 only applies to those parts of a contractor’s network where CUI is present.
By defining the cybersecurity requirements for contractors who handle sensitive government information, NIST 800-171 strengthens the security of the whole federal supply chain. It ensures a unified baseline standard of cybersecurity for all contractors, and their respective subcontractors, who have access to CUI.
Top tip for NIST 800-171 compliance: “Conducting evidence-based assessments are going to be key to accurately determining an organization’s NIST 800-171 compliance. An organization should maintain an up-to-date System Security Plan (SSP) as well as have policies and practices in place that can be used to demonstrate and evidence compliance.”
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information owned or created by the government which is sensitive but not classified. This might include patents, technical data, or information relating to the manufacture or acquisition of goods and services. Government agencies publish lists of relevant categories and specific definitions of CUI.
Although CUI is not considered classified information, breaches of such sensitive data can still lead to adverse national security and economic consequences. For this reason, information breaches due to lack of compliance with NIST 800-171 requirements can lead to loss of contracts, lawsuits, fines, and reputational damage.
What are the NIST 800-171 requirements used to protect CUI?
NIST 800-171 consists of 110 requirements, each covering different areas of an organization’s IT technology, policy and practices. Requirements cover aspects like access control, systems configuration, and authentication procedures. They also set out the requirements for cybersecurity procedures and incident response plans.
Each requirement mitigates cybersecurity vulnerabilities or strengthens an element of the network and is accompanied by in-depth ‘discussion’ text that allows the organization to understand the requirement’s wider context. The application of each requirement ensures an organization’s systems, network, and employees are properly prepared to safely handle CUI.
What are the NIST 800-53 control families?
NIST SP 800-53 has more than 1,000 controls across 20 distinct control ‘families’. Families include a range of controls relating to their specific area. For example, the ‘Access Control’ family contains security and privacy controls relating to device and user access to the system.
The 20 NIST SP 800-53 control families are:
Who needs to comply with NIST 800-171?
US government departments rely on a range of external organizations and service providers to function. Many of these essential services result in the processing and storage of sensitive information on contractors’ IT networks. And these organizations that handle or transmit CUI as part of their contract with the US government need to comply with NIST 800-171. Common organizations that may require NIST 800-171 compliance when working with US government agencies include:
NIST 800-171 compliance
Compliance with NIST 800-171 is a requirement for organizations that process or store CUI. It will be a core part of any contract or agreement between the US government and a contractor who is expected to handle CUI on their IT networks.
There is no certification body or official audit to determine a contractor’s adherence to the NIST 800-171 requirements. Organizations must self-assess and self-attest to compliance instead. Organizations perform an audit against the list of requirements found in the publication for all aspects of their network and systems that store or process CUI.
NIST 800-171 compliance for defense contractors
Contractors that process CUI as part of their work for the Department of Defense (DoD) use a points-based system to demonstrate compliance with NIST 800-171. This process involves a self-assessment against the 110 requirements outlined in the NIST 800-171, scoring compliance with each of the individual requirements. Organizations gain a point for every implemented requirement, up to a maximum of 110, but subtract weighted penalty points (from -1 to -5) for each unimplemented or partially implemented requirement. Final scores are registered in the DoD’s Supplier Performance Risk System (SPRS) – scores must be submitted before contract award or renewal.
Defense contractors must also submit a System Security Plan (SSP) as part of their evidence of NIST 800-171 compliance. The SSP provides a comprehensive overview of an organization’s IT network, including hardware and software, as well as security processes and policies.
Any NIST 800-171 requirements not met by a DoD contractor should be stated within a Plan of Actions and Milestones (POAM). The POAM sets out key dates and timelines for achieving full compliance and must be submitted before the contract begins. The POAM can be updated as the organization addresses areas of non-compliance and as their cybersecurity practices mature. Both the SSP and any related NIST 800-171 POAM are vital evidence of compliance required by the DoD and should be uploaded and updated in SPRS.
The importance of NIST 800-171 compliance: “For DoD contractors, the ultimate goal is CMMC certification. And for those defense companies who handle CUI on their networks, accurate and ongoing NIST 800-171 compliance will be the bridge to CMMC success.”
Your NIST 800-171 checklist and best practice
NIST 800-171 compliance is proven through a process of self-assessment. There are 110 requirements that organizations need to meet in order to achieve compliance, which can seem daunting. But there is a clear process to executing a NIST 800-171 assessment.
Here are eight steps for conducting a NIST 800-171 self-assessment:
- Form an assessment team with input from senior information security stakeholders.
- Set an assessment plan, including timeframe and objectives.
- Begin an internal communication campaign to spread awareness of the project.
- Create a contact list of personnel with relevant responsibilities, such as system administrators and information security specialists.
- Collect relevant documents, including existing security policies, system records and manuals, previous audit results and logs, admin guidance documents, and system architecture documents.
- Assess individual requirements in the NIST 800-171 document and record a statement for each.
- Create a plan of action that outlines how any unmet requirements will be achieved.
- Include all evidence for compliance into a System Security Plan (SSP) document.
What people get wrong: “If you maintain CUI on your networks, don’t stop at just implementing the NIST 800-171 requirements. Gather and organize all the evidence required to obtain and maintain at least CMMC Level 3 certification.”
How to prepare for a NIST Assessment
The NIST 800-171 self-assessment is a complex task because it will audit all elements of an organization’s security systems and network that touch CUI. For this reason, preparation is key. The assessment team should be assembled with input from both the core leadership team and the executive in charge of cybersecurity policies. Before beginning, an assessment plan should be created which outlines the timeframe, scope, and aims of the project.
Here are five steps to prepare for a NIST assessment:
1. Collect existing security policies and procedures.
2. Establish contact with key information security stakeholders.
3. Set the start and end point of the assessment.
4. Collect relevant material and previous audit results.
5. Communicate the project to all areas of the organization.
The process of assessing each of the 110 requirements can be time-consuming and labor-intensive. Finding the right NIST assessment tool to automate elements of the audit should be a key consideration.
NIST 800-171 Mapping Document
Titania Nipper is a tool that helps to streamline the NIST 800-171 compliance audit. It can automate the accurate assessment of 31 network requirements, saving assessors up to three hours per device audit. And for contractors to the Department of Defense, Nipper can also help to assess and evidence 31 SPRS points, which have a total weighted penalty value of 113 points. This represents 28% of the total SPRS points needed for full NIST 800-171 compliance.