What is NIST SP 800-171?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Commerce Department, responsible for conducting research and establishing standards across all federal agencies.
One of NIST’s roles is to create Special Publication 800-series which encompasses its research, guidelines, and outreach efforts in information systems security and privacy as well as its collaborative activities with industry, government, and academic organizations.
This particular special publication, NIST SP 800-171, also known as DFARS (Defense Federal Acquisition Regulation Supplement), provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.
CUI is information that is unclassified and not strictly regulated by the federal government but is sensitive and therefore must be protected.
These requirements extend to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components. The implementation of 800-171 is also required for defense contractors in order to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts. In addition, if a manufacturer is part of a DoD (Department of Defense), General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, they must implement NIST SP 800-171.
The requirements were formed through a combination of FIPS 200 and the moderate security control baseline in NIST SP 800-53 and are based on the CUI regulation 32 CFR 2002. With time, the requirements and controls have been proven to provide the necessary protection for federal information and systems that are covered under FISMA. The latest revision is 01/28/21: SP 800-171 Rev. 2.
NIST SP 800-171 contains 110 security controls across the following 14 categories, and covers both administrative and technical categories:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
What are the requirements for NIST 800-171?
Manufacturers that want to retain their DoD, GSA, NASA and other federal and state agency contracts must ensure that they meet the requirements of NIST SP 800-171.
In order to be fully compliant, a company must:
- Assess and implement all 110 controls
- Create a system security plan (SSP) describing how the security requirements are met
- Include plans of action and milestones (POA&M) on how you will meet those controls that aren’t implemented *
*Compliance can also be reached through implementing alternative security measures equal to that of a requirement that you are unable to fully complete.
800-171 has a supplement called NIST SP 800-172, which includes enhanced security requirements for protecting CUI.
Why should you be NIST 800-171 compliant?
Data breaches are on the rise across all industries, with cybercriminals taking advantage of poor cybersecurity practices, improper configuration, lack of encryption and other vulnerabilities. The federal government, in particular, is increasingly targeted by cybercriminals.
NIST 800-171 provides a standardized set of guidelines for protecting CUI in any situation. Every government agency and non-government organization that handles CUI can now follow these clear guidelines. Having a consistent framework significantly lowers the risk of a breach and protects the confidentiality of this data.
Compliance with NIST SP 800-171 is currently mandatory for some Department of Defense contracts.
Federal agencies and contracting offices have the right to request submission of your SSP and the associated POA&Ms for any planned implementations or mitigations to determine if the plans demonstrate your organization’s implementation or planned implementation of the security requirements. Based on that, they can consider whether it is advisable to pursue an agreement or contract with your organization.
If you want to remain a DoD contractor, you need to follow NIST 800-171’s best practices. If you fail to follow these regulations, you’ll see an impact on your existing and potential new contracts as other compliant contractors take your place. The NIST 800-171 is also a prerequisite to comply with the DoD CMMC standard.
The risks of not adopting these practices include data breaches, exposing CUI and losing your DoD contracts. Non-compliance could result in immediate contract termination which is something no contractor wants to risk because losing a contract may mean the end of your business. Even worse, if a contractor falsely claims to be compliant with 800-171, they may be charged with criminal fraud as they are misrepresenting facts. It can also result in damaged relationships with the federal agencies.
How to achieve compliance?
It can take months to become fully compliant with 800-171 and the Centraleyes platform helps to ensure that it won’t be dragged out any longer than necessary.
Centraleyes delivers a streamlined, automated questionnaire, prioritized remediation guidance and real-time customized scoring to meet the NIST SP 800-171 requirements. The platform has mapped NIST SP 800-171 back to its control inventory, allowing data to be shared across multiple frameworks throughout the platform. With the Centraleyes platform organizations can gain full visibility to their cyber risk levels and compliance.
Centraleyes provides a direct mapping of the CUI security requirements to the NIST Cybersecurity Framework (CSF), NIST SP 800-53, and ISO 27001 security controls.
With Centraleyes, you can ease compliance management and advance cyber risk readiness in all public sector organizations, empower your organization with customized cyber risk and compliance scoring that is always up to date, pull information from various collection and analysis platforms to provide one single view of your compliance, and much much more
If you are manually trying to meet the DoD’s requirement to identify, implement, assess and manage cyber security capabilities and services, Centraleyes is a perfect fit for you.
Protecting Controlled Unclassified Information in Nonfederal Systems
