What is NIST 800-171?

“You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”

– Daryl White, DOI CIO

What is NIST 800-171?

The federal government created NIST 800-171 through Executive Order 13556 to help government contractors protect Controlled Unclassified Information (CUI) in their government contracts. NIST SP 800-171 is a Special Publication that provides recommended cyber security controls for protecting the confidentiality of CUI. 

This is one of a few cybersecurity standards that defense contractors must get familiar with, as compliance is necessary for both DFARS 7012, and CMMC. Before we get too far into 800-171, let’s quickly go over what CUI is.

Quick Background About CUI:

In order for information to be considered CUI, it must first meet one or more criteria. For example, NIST defines the term as including all types of covered defense intelligence (CDI) and controlled technical intelligence (CTI). CTIs are those designated materials with military application that require distribution statements according to DoD 530-24 guidelines. 

The DoD, or your contracting officer, is usually responsible for determining which information should be classified as CTI and properly marking it before giving it to the contractor. Likewise if a contractor develops their own CTIs while performing contractual duties then they must notify both parties so that they can complete all of the necessary forms (and processes).

NIST 800-171 in Depth:

NIST 800-171 contains 28 basic security requirements, and 81 derived security requirements. All requirements can be traced back to NIST 800-53 and FIPS. There are 14 families of controls in 800-171, and most of them require both procedural and technical controls to be implemented.

The 14 control families are:

  • Access Control: Utilizes the principle of least privilege to limit system access to authorized users and limits them to specified actions based on job functions (or roles). It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 20
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Awareness and Training: Emphasizes that Management and employees should receive proper training on both usage of the information system, as well as insider threats. It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 1
Procedural Controls:                      Yes
Technical Controls:                        No

  • Audit and Accountability:  Seeks to ensure that an organization’s audit generation and reporting capabilities sufficiently support the security monitoring and management needed for a secure environment. It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 7
Procedural Controls:                      Yes
Technical Controls:                        No
  • Configuration Management:  Aimed at ensuring that organizations have the proper change controls in place when changes occur in their IT environment. It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 7
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Identification and Authentication:  Ensures that users and processes are properly identified within an IT environment. Using multi-factor authentication creates a second authentication pathway (like a code sent to a known device or contacts point).. It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 9
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Incident Response:  Ensures that there is a plan and processes in place to deal with security incidents and reporting them to the proper authority. It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 1
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • System and Information Integrity:  Ensures the data and information the system processes is clean and free of malware. It is comprised of:
NIST Basic Requirements 3
NIST Derived Requirements: 4
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Maintenance:  Ensures that organizations have the proper processes in place to securely maintain their hardware and software (e.g. updating software patches in a timely manner). It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 4
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Media Protection:  Ensures the protection of CUI content in both physical and digital mediums. It is comprised of:
NIST Basic Requirements 3
NIST Derived Requirements: 6
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Personnel Security:  Ensures that employees, contractors, and vendors are only allowed access to what is necessary.  It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 0
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Physical Protection:  Ensures that physical devices and infrastructure are safe from theft, or natural disasters. It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 4
Procedural Controls:                      Yes
Technical Controls:                        No
  • Risk Assessment:  Evaluates the risks to the IT environment and reviews controls periodically to measure for adequacy. It is comprised of:
NIST Basic Requirements 1
NIST Derived Requirements: 2
Procedural Controls:                      Yes
Technical Controls:                        Yes
  • Security Assessment:  Periodically assesses the IT environment for risks and addresses any gaps that are discovered. It is comprised of:
NIST Basic Requirements 3
NIST Derived Requirements: 0
Procedural Controls:                      Yes
Technical Controls:                        No
  • System and Communications Protection:  Ensures CUI is protected from exposure with sufficient monitoring and controlling of all communications, internally and externally. It is comprised of:
NIST Basic Requirements 2
NIST Derived Requirements: 14
Procedural Controls:                      Yes
Technical Controls:                        Yes

 

How does NIST 800-171 relate to DFARS?

NIST 800-171 compliance is mandated in DFARS 7012. This applies to all prime contractors, and any subcontractors that will be handling CUI. Due to repeated data breaches in the Defense Industrial Base (DIB), DFARS 7012 went into effect on December 31st, 2017. Organizations were able to self-attest their compliance of NIST 800-171, and for any gaps in their cybersecurity landscape, were able to address them through a System Security Plan (SSP) and Plan of Action and Milestones (POA&M). 

This allowed organizations to not be fully compliant with NIST 800-171, which some companies took advantage of and lied to the DoD about how secure they were. An audit from 2017 showed that approximately only 60% of DoD contractors were compliant with DFARS 7012, which paved the way for the CMMC.

CMMC vs NIST 800-171

NIST 800-171 is the backbone of CMMC, as levels 2 and 3 of CMMC v2.0 require at least NIST 800-171 compliance. Those companies at Level 3 will have to follow all 110 NIST controls, as well as a subset of controls from 800-53. 

CMMC version 1 required all companies to pass an external CMMC audit to validate their NIST compliance. But, the new version allows all companies at Level 1, and some at Level 2, to annually self attest to their compliance. Furthermore, the new version of CMMC allows companies to bring back Plan of Action and Milestones (POA&Ms) to shore up any gaps in a timely manner if they are not fully compliant at the time of the contract award. 

NIST 800-53 vs 800-171

NIST 800-171 vs NIST 800-53 is a common area of confusion for organizations seeking CMMC compliance. The key difference in determining NIST 800 53 vs 800 171, is non-federal agencies must follow NIST 800 171 vs 800 53 applies to federal agencies.

Whether preparing for an audit or still trying to figure out difference between NIST 800-171 vs 800-53, our team of NIST 800-171 compliance consultants are here to help. Contact us today to get a free consultation and find out how our compliance solution can help fulfill 84 of the 110 NIST 800-171 security controls.

Jul 19 2022

Clean Data: Key to the Future of Cloud ERP

As we move further into the 21st century, more and more businesses are making the switch to cloud-based ERP systems. This is in part due to the many advantages that...
May 17 2022

Why agility is important for your people, processes, and technology

Companies need stability to achieve consistent profits. Markets are not always stable, but it’s easy for businesses when there isn’t much uncertainty about...
May 17 2022

5 Things to Avoid While Practicing Organizational Agility

Small to medium-sized businesses (SMBs) have always had to work harder than their larger counterparts to survive. This is especially true during times of crisis, such...
May 17 2022

 Making the Case for Agility: Why SMBs Need to Be More Agile

The last few years have been a perfect example of why agility is so important for SMBs. The global landscape has changed drastically, and businesses that were not able...
May 17 2022

What Organizational Agility Means for the Modern Workplace?

In the business world, things are always changing. Customers' needs and wants to evolve, technology advances, and competitors enter or leave the market. To stay ahead,...
Apr 19 2022

Sustainable Scaling: Achieving Balance in Business

The world is changing at a record pace and the landscape of business has been irrevocably altered as well by shifting customer preferences, new technologies and...
Apr 18 2022

Embracing the Future with Sustainable Thinking

Sustainable thinking is about more than just recycling and using renewable energy. It means laying the groundwork for future employee and customer growth. An...
ECC to Business Suite to S4 Hana to Hana Cloud
Jan 18 2022

The Real story of ECC to Business Suite to S4 Hana to Hana Cloud

Oh my, the sky is falling and SAP says ECC support is due to expire in 2025(See the note: 1648480). While no one, including the big wigs in Waldorf, can say with...
Jan 18 2022

6 Things to consider before an ERP upgrade

As the saying goes “the only constant thing in life is change”. We change our shoes, our jobs, even our relationships. In business knowing when is the right time for...
Jan 18 2022

Why CMMC Preparation Needs To Begin Now

Recently, the Department of Defense (DoD) released CMMC v2.0. This new version streamlined the original v1.0 from 5 levels down to 3, and walked back the third party...

How we can help/next steps:

The DoD’s increasing focus on compliance is forcing businesses to take a more proactive stance. So many contracts are requiring compliance, and yours might be one of them. Contact us for an assessment today – we’ll show you how FirstCall Consulting can help keep things in order with our expertise in NIST 800-171 standards.

 
 
Share This