Any organization that processes or stores sensitive, unclassified information on behalf of the US government is required to be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) cybersecurity standards. This may include contractors for the Department of Defense, universities and research institutions that receive federal grants, or organizations providing services to government agencies.
NIST 800-171 sets standards for safeguarding sensitive information on federal contractors’ IT systems and networks. By requiring best-practice cybersecurity processes from government contractors, the resilience of the whole federal supply chain is strengthened.
NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.
Compliance with NIST 800-171 is a contractual obligation for contractors handling CUI on their networks and these organizations are expected to conduct self-assessments to determine and maintain compliance. So, it’s important that the controls and requirements are fully understood and assessed.
This guide explores NIST 800-171, what it consists of, and the steps to become compliant with it.
What is NIST 800-171
NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. It was first was published in June 2015 by the National Institute of Standards and Technology (NIST), which is a US government agency that has released an array of standards and publications to strengthen cybersecurity resilience in both the public and private sectors. NIST 800-171 has received regular updates in line with emerging cyber threats and changing technologies. The latest version (Revision 2) was released in February 2020.
What is the purpose of NIST 800-171?
The cybersecurity controls within NIST 800-171 are designed to safeguard CUI in the IT networks of government contractors and subcontractors. It defines the practices and procedures that government contractors must adhere to when their networks process or store CUI. NIST 800-171 only applies to those parts of a contractor’s network where CUI is present.
By defining the cybersecurity requirements for contractors who handle sensitive government information, NIST 800-171 strengthens the security of the whole federal supply chain. It ensures a unified baseline standard of cybersecurity for all contractors, and their respective subcontractors, who have access to CUI.
Top tip for NIST 800-171 compliance: “Conducting evidence-based assessments are going to be key to accurately determining an organization’s NIST 800-171 compliance. An organization should maintain an up-to-date System Security Plan (SSP) as well as have policies and practices in place that can be used to demonstrate and evidence compliance.”
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information owned or created by the government which is sensitive but not classified. This might include patents, technical data, or information relating to the manufacture or acquisition of goods and services. Government agencies publish lists of relevant categories and specific definitions of CUI.
Although CUI is not considered classified information, breaches of such sensitive data can still lead to adverse national security and economic consequences. For this reason, information breaches due to lack of compliance with NIST 800-171 requirements can lead to loss of contracts, lawsuits, fines, and reputational damage.
What are NIST 800-171 controls used to protect CUI?
NIST 800-171 consists of 110 controls or requirements, each covering different areas of an organization’s IT technology, policy and practices. Controls cover aspects like access control, systems configuration, and authentication procedures. They also set out the requirements for cybersecurity procedures and incident response plans.
Each control mitigates cybersecurity vulnerabilities or strengthens an element of the network and is accompanied by in-depth ‘discussion’ text that allows the organization to understand the control’s wider context. The application of each control ensures an organization’s systems, network, and employees are properly prepared to safely handle CUI.
14 control families of NIST 800-171
The 110 security controls of NIST 800-171 are organized into 14 families. Each control family contains the requirements related to the general security topic of the family. These groupings are intended to ensure it is straightforward for an organization to employ and self-assess the application of the controls.
The 14 control families of NIST 800-171 are:
1. Access Control
This family of requirements deals with access to networks, systems, and information. 22 different controls and requirements help to ensure only authorized users access the system. Controls also safeguard the flow of sensitive information within the network and provide guidance on network devices in the system.
2. Awareness and Training
Three separate requirements make up the ‘Awareness and Training’ section. Requirements include ensuring system administrators and users are aware of security risks and related cybersecurity procedures, and that employees are trained to carry out security-related roles.
3. Audit and Accountability
Nine requirements make up this family of controls, which focus on auditing and analyzing system and event logs. The requirements deal with the recording and storage of reliable audit records to allow for best practice analysis and reporting. Regular review of system security logs can help uncover and mitigate cybersecurity incidents.
4. Configuration Management
Nine requirements cover the proper configuration of hardware, software, and devices across the organization’s system and network. This family of controls also focuses on preventing unauthorized software installation and the restriction of nonessential programs.
5. Identification and Authentication
This family of requirements ensures only authenticated users can access the organization’s network or systems. 11 requirements cover password and authentication procedures and policy, alongside the reliable identification of users. Controls ensure the distinction between privileged and non-privileged accounts is reflected in network access.
6. Incident Response
Three requirements deal with the capability of the organization to respond to serious cybersecurity incidents. The requirements ensure procedures are in place to detect, contain and recover a range of incidents within the organization. This includes proper training and planning, as well as regular testing of capabilities.
Six requirements provide insight into best practice system and network maintenance procedures. This includes the performance of regular system maintenance and making sure any external maintenance is secure and authorized.
8. Media Protection
Nine security requirements help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats.
9. Personnel Security
Two security requirements cover the safeguarding of CUI in relation to personnel and employees. The first covers the need for security screening of individuals prior to accessing systems that contain CUI. The second ensures CUI is protected during termination or transfer of personnel, including the return of building passes or hardware and devices.
10. Physical Protection
Six security requirements deal with physical access to CUI within the organization, including the control of visitor access to work sites. Hardware, devices, and equipment are also required to be limited to authorized personnel.
11. Risk Assessment
Two requirements cover the performance and analysis of regular risk assessments. Organizations are required to regularly scan systems for vulnerabilities, keeping network devices and software updated and secure. By regularly highlighting and strengthening vulnerabilities, the security of the entire system is improved.
12. Security Assessment
Four requirements cover the development, monitoring and renewal of system controls, and security plans. By periodically reviewing security procedures, vulnerabilities across the organization are highlighted and improved. This ensures plans to safeguard CUI remain effective.
13. System and Communications Protection
16 requirements cover the monitoring and safeguarding of systems and the transmission of information. Controls include the prevention of unauthorized information transfer and the denial by default of network communication traffic. Requirements also include best practice cryptography policies to protect CUI.
14. System and Information
Integrity Seven requirements deal with monitoring and ongoing protection of systems within the organization. This includes processes for identifying unauthorized use of systems and the monitoring of system security alerts.
Who needs to comply with NIST 800-171?
US government departments rely on a range of external organizations and service providers to function. Many of these essential services result in the processing and storage of sensitive information on contractors’ IT networks. And these organizations that handle or transmit CUI as part of their contract with the US government need to comply with NIST 800-171.
Common organizations that may require NIST 800-171 compliance when working with US government agencies include:
NIST 800-171 compliance
Compliance with NIST 800-171 is a requirement for organizations that process or store CUI. It will be a core part of any contract or agreement between the US government and a contractor who is expected to handle CUI on their IT networks.
There is no certification body or official audit to determine a contractor’s adherence to the NIST 800-171 controls. Organizations must self-assess and self-attest to compliance instead. Organizations perform an audit against the list of controls found in the publication for all aspects of their network and systems that store or process CUI.
NIST 800-171 compliance for defense contractors
Contractors that process CUI as part of their work for the Department of Defense (DoD) use a points-based system to demonstrate compliance with NIST 800-171. This process involves a self-assessment against the 110 controls outlined in the NIST 800-171, scoring compliance with each of the individual controls from one to five points. Organizations begin with the maximum score of 110 but subtract points for each unimplemented or partially implemented control. Final scores are registered in the DoD’s Supplier Performance Risk System (SPRS) – scores must be submitted before contract award or renewal.
Defense contractors must also submit a System Security Plan (SSP) as part of their evidence of NIST 800-171 compliance. The SSP provides a comprehensive overview of an organization’s IT network, including hardware and software, as well as security processes and policies.
Any NIST 800-171 requirements not met by a DoD contractor should be stated within a Plan of Actions and Milestones (POAM). The POAM sets out key dates and timelines for achieving full compliance and must be submitted before the contract begins. The POAM can be updated as the organization addresses areas of non-compliance and as their cybersecurity practices mature.
Both the SSP and any related NIST 800-171 POAM are vital evidence of compliance required by the DoD and should be uploaded and updated in SPRS.
The importance of NIST 800-171 compliance: “For DoD contractors, the ultimate goal is CMMC certification. And for those defense companies who handle CUI on their networks, accurate and ongoing NIST 800-171 compliance will be the bridge to CMMC success.”
Your NIST 800-171 checklist and best practice
NIST 800-171 compliance is proven through a process of self-assessment. There are 110 controls and requirements that organizations need to meet in order to achieve compliance, which can seem daunting. But there is a clear process to executing a NIST 800-171 assessment.
Here are eight steps for conducting a NIST 800-171 self-assessment:
1. Form an assessment team with input from senior information security stakeholders.
2. Set an assessment plan, including timeframe and objectives.
3. Begin an internal communication campaign to spread awareness of the project.
4. Create a contact list of personnel with relevant responsibilities, such as system administrators and information security specialists.
5. Collect relevant documents, including existing security policies, system records and manuals, previous audit results and logs, admin guidance documents, and system architecture documents.
6. Assess individual controls and requirements in the NIST 800-171 document and record a statement for each.
7. Create a plan of action that outlines how any unmet requirements will be achieved.
8. Include all evidence for compliance into a System Security Plan (SSP) document.
What people get wrong: “If you maintain CUI on your networks, don’t stop at just implementing the NIST 800-171 controls. Gather and organize all the evidence required to obtain and maintain at least CMMC Level 3 certification.”
How to prepare for a NIST Assessment
The assessment team should be assembled with input from both the core leadership team and the executive in charge of cybersecurity policies. Before beginning, an assessment plan should be created which outlines the timeframe, scope, and aims of the project.
Here are five steps to prepare for a NIST assessment:
1. Collect existing security policies and procedures.
2. Establish contact with key information security stakeholders.
3. Set the start and end point of the assessment.
4. Collect relevant material and previous audit results.
5. Communicate the project to all areas of the organization.
The process of assessing each of the 110 controls can be time-consuming and labor-intensive. Finding the right NIST assessment tool to automate elements of the audit should be a key consideration.
Titania Nipper is a tool that helps to streamline the NIST 800-171 compliance audit. It can automate the accurate assessment of 31 core network controls, saving assessors up to three hours per device audit. And for contractors to the Department of Defense, Nipper can also help to assess and evidence 113 SPRS points.
Download the NIST 800-171 Automation Summary to see how Nipper can streamline your NIST 800-171 assessment today.