Federal contractors have no doubt heard about the NIST 800-171. As Dark Cubed tells us, the certification deals with ensuring that controlled unclassified information (CUI) doesn’t fall into the wrong hands. The Department of Defense defines CUI as information that is relevant and sensitive to the government of the United States, yet not strictly classified. The NIST 800-171 was initially designed to safeguard this information from malicious actors that could use this data to gain an advantage over the United States. Here, we’ll look at what the NIST 800-171 is and how an organization can seek to meet this standard’s requirements.
What Exactly Is the NIST 800-171?
In 2003, the United States Government passed the Federal Information Security Management Act (FISMA). Under the FISMA, the NIST 800-171 was developed to ensure that cybersecurity practices among defense contractors and other federal agencies were of a certain standard. Prior to FISMA, several well-publicized breaches alerted the administration that their cybersecurity health wasn’t the best. As a result, the FISMA outlined a few guidelines to create a “culture of cybersecurity” among these contractors and governmental agencies. The NIST itself states that the standard aims to ensure that unclassified data in governmental repositories were both safe and consistent across all of its iterations.
Several governmental agencies, among them the DOD, NASA, and the GSA, implemented a revised set of rules for the NIST in December of 2017. Any contractor that works with CUI from those agencies is required to demonstrate compliance with the standard. Among the guidelines included an overhaul of how these companies dealt with CUI and the procedure they would use to report potential or confirmed breaches. The policies are robust, dealing with all the details of a company’s data system, ranging from network configuration to how employees receive and utilize the CUI data.
Seeking Compliance With the NIST 800-171
The NIST 800-171 has fourteen significant points that companies which want to comply with the standard need to observe. These are:
- System Information Integrity: how fast threats to the network or individual systems are recognized and dealt with
- System and Communications Protection: Data should be monitored at critical locations both inside the company and once it leaves
- Security Assessment: Businesses need to assess the level of their security and whether the procedures they have previously implemented are still valid
- Risk Assessment: Businesses need to perform simulated attacks and penetration testing to ensure their systems don’t introduce or harbor unnecessary risk
- Personnel Security: Contractors are screened on how they allow access to the CUI and the qualification that employees must have to access the data
- Physical Protection: The physical defenses of the site where the CUI is stored must be assessed and recorded as being compliant with the standards
- Media Protection: CUI data must be stored on secure backups, which may be kept off-site in another secure facility. Access to these records are also examined to ensure that no unauthorized personnel can get them
- Maintenance: Companies need to outline the routine maintenance of their locations and which personnel have access for the duration of that maintenance
- Incident Response: The response that the contractor has to any potential breach or suggestion of a breach
- Identification and Authentication: The process the business uses to qualify employees to use the CUI data is examined, including verification before access
- Configuration Management: The business’s network configuration and security protocols are scrutinized to ensure that it meets agency expectations
- Audits and Accountability: This process identifies what records are kept of access, both authorized and unauthorized, and whether unauthorized access can be tracked
- Awareness and Training: In keeping with the NIST’s aim to ensure a “culture of security,” employees are to be trained to follow security protocol at all times
- Access Control: The business should have something in place to limit access to the CUI data.
Contractors and other companies that want to qualify under the NIST 800-171 standard need to follow these guidelines to a certain level of competence. Businesses who work with the Department of Defense have a separate certification known as the CMMC, which is based heavily on the NIST-800-171 standard. If you’re interested in meeting the measures proposed in either of these, you should contact Sync Resource today. With years of experience in cybersecurity training, we can offer you a unique road to reaching NIST 800-171 compliance.