The Effect of NIST 800-171A on Government Contractors

November 26, 2018, Mali Yared, Practice Director, Cyber Risk Advisory & Privacy, Coalfire

(Part Three in a Three-part Series)

NIST 800-171A introduces a standardized opportunity to perform a more structured and granular level of assessment leveraging the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework.

The Genesis of NIST 800-171A

NIST SP 800-171 is a government standard that has been developed for the protection of Controlled Unclassified Information (CUI) on nonfederal systems. It includes a set of technical, procedural, and administrative security requirements – 110 in total, spread across 14 families (or domains).

The net effect of NIST 800-171A is that it provides additional support and guidance for the federal government contractor as it works toward compliance. It does not introduce an additional layer of compliance steps.

As compliance steps are pursued throughout the federal contractor environment, some ambiguities were perceived. The intentional allowance given the contractors – to address the NIST 800-171 requirements according to the threat landscape faced and the business environment required – led to confusion and misinterpretation. Several contractors expressed an interest for a more templatized and structured approach that would help them take clear steps to show compliance. NIST, in coordination with the DoD, started working on the NIST 800-171A (‘A’ stands for ‘assessment’). This publication provides clear ways in which the contractor can evaluate its CUI environment and provide a guided narrative that shows proof of compliance.

The final version of 800-171A was released in Spring 2018. Coalfire issued a blog that explores implementation options here.

NOTE: Just like NIST SP 800-171, NIST 800-171A is just a standard. There is no stipulation or enforcement law behind it. It is a series of guidance steps developed by NIST to help further clarify the intent behind NIST 800-171 and assist the contractor in its maturity toward compliance.

Previous Posts:

Updated November 26, 2018; originally published March 13, 2018.

Mali Yared

Author

Mali Yared — Practice Director, Cyber Risk Advisory & Privacy, Coalfire

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS
Top