In December 2016, NIST released Special Publication 800-171, Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems. Since that publication, I have worked with dozens of government contractors to help them understand this publication and determine if and how it applies to their businesses.
This is the first of a three-part series that explains the standard and provides guidance to firms that must comply with it.
In the past, various government agencies and their contractors have referred to special categories of data requiring increased protection as proprietary, confidential, sensitive and so on. Now, under NIST 800-171, it all falls under one terminology: Controlled Unclassified Information, or CUI. NIST 800-171 addresses the protection of CUI as it travels through non-government environments.
NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, specifies the security requirements that must be satisfied to ensure the confidentiality of CUI.
Does NIST 800-171 Apply to Me?
Below are some points of consideration to help you decide whether NIST 800-171 applies to you or not:
- Are you a prime or sub-contractor of a government agency?
- Are you unsure if you have CUI information flowing through your environment?
- You have a good idea of what the CUI data in your environment is; but do your contracts state that you have CUI data?
- Do your contracts state that you need to be compliant with the NIST 800-171? Or were you given the mandate for compliance via email or communication other than the contract you are under with the government or the prime?
The individual, or combined, responses to the above questions determine whether you should take steps to be NIST SP 800-171 compliant. If you are unsure, a qualified expert from our team can help you arrive at the right decision.
Commonalities with Other Security Frameworks
Now that we have established what NIST 800-171 is, let’s explore what the key areas of interest may be for security professionals and IT directors.
- NIST 800-171, just like other risk assessment frameworks such as ISO, HITRUST, and FEDRAMP, has domains such as Access Control, Configuration Management, Training, Systems Integrity, and so on. Unlike the others, NIST 800-171 has a reduced number of domains – there are 14 of them and the requirements under these domains are 110 in total – a lot less when compared to other frameworks.
- The tenor of these requirements is high level and allows the contractor to translate and apply them as it fits their business requirements and contractual obligations.
- The regulation has mandatory documentation requirements that ask for an increased level of effort, for example, the development of a System Security Plan (SSP) and the Plan of Action and Milestone (POA&M).
- There are technical requirements typically related to the demarcation and protection of the CUI boundary, capabilities around such domains as Identification and Authentication and Audit Logging and Monitoring domains.
If you are looking for help in understanding 800-171 and how it might affect you, Coalfire has a wide range of services that might help:
- NIST SP 800-171 Environmental Readiness Check: This is a ‘set the stage’ or ‘early stage’ service we provide to clients that may not be ready for a Gap Analysis.
- NIST SP 800-171 Gap Analysis: Coalfire’s Gap Analysis service consists of a series of activities geared toward gathering and assimilating information on the client’s business and operational environment, its threat and vulnerability landscape, and where the client is in its security program maturity in comparison to its peers.
- NIST SP 800-171 Gap Remediation: During this stage, we offer to help the organization in the remediation of the gaps identified during the Gap Analysis phase. Our Gap Remediation offering is mature and extensive in coverage. It is broken down into two types of services – documentation and technical implementation services.
- During Documentation preparation, we can assist in the preparation of the System Security Plan, the Plan of Action and Milestones, the Incident Response Plan, or other associated processes and procedures.
- During Technical Implementation, activities are typically delivered in collaboration with our Cyber Engineering team and can be tailored to the customer’s budget. Our template allows the customer to prioritize according to level of effort to implement the solution and the impact if gap remediation does not take place.
- NIST SP 800-171 Gap Assessment: The nature of the work we do in Gap Assessment is similar to what we do during Gap Analysis. The difference is in the level of scrutiny with which each requirement is reviewed. We also verify whether the response given is factual and take steps to validate that it meets industry standards. Gap Assessments include significant levels of verification and validation.