(Part Three in a Three-part Series)
NIST 800-171A introduces a standardized opportunity to perform a more structured and granular level of assessment leveraging the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework.
The Genesis of NIST 800-171A
NIST SP 800-171 is a government standard that has been developed for the protection of Controlled Unclassified Information (CUI) on nonfederal systems. It includes a set of technical, procedural, and administrative security requirements – 110 in total, spread across 14 families (or domains).
The net effect of NIST 800-171A is that it provides additional support and guidance for the federal government contractor as it works toward compliance. It does not introduce an additional layer of compliance steps.
As compliance steps are pursued throughout the federal contractor environment, some ambiguities were perceived. The intentional allowance given the contractors – to address the NIST 800-171 requirements according to the threat landscape faced and the business environment required – led to confusion and misinterpretation. Several contractors expressed an interest for a more templatized and structured approach that would help them take clear steps to show compliance. NIST, in coordination with the DoD, started working on the NIST 800-171A (‘A’ stands for ‘assessment’). This publication provides clear ways in which the contractor can evaluate its CUI environment and provide a guided narrative that shows proof of compliance.
The final version of 800-171A was released in Spring 2018. Coalfire issued a blog that explores implementation options here.
NOTE: Just like NIST SP 800-171, NIST 800-171A is just a standard. There is no stipulation or enforcement law behind it. It is a series of guidance steps developed by NIST to help further clarify the intent behind NIST 800-171 and assist the contractor in its maturity toward compliance.
Updated November 26, 2018; originally published March 13, 2018.