NIST 800-171 Compliance for Federal Contractors

NIST 800-171 Compliance: What does this mean for Federal Contractors?

Contractors that work with the Department of Defense (DoD) and have access to Controlled Unclassified Information (CUI) or will handle CUI on their information systems are required to become compliant with the NIST Special Publication 800-171 standard. For those who are not familiar with CUI, it is a federal data classification that requires safeguarding but is not considered classified. A complete list of CUI categories can be found at the National Archives website.

For organizations interested in learning more about NIST 800-171 compliance or looking for help in addressing concerns.

ITG is a knowledgeable and experienced Consultant in Cybersecurity Compliance and Information Assurance practices, including industry standards such as the International Organization for Standardization’s (ISO) – ISO/IEC 27001:2013 – Information Security Management Systems and NIST cybersecurity requirements, the 800 series, and the Risk Management Framework.

Although NIST 800-171 compliance was required as of December 31, 2017, many contractors may not be fully compliant or are just now, with the introduction of the Cybersecurity Maturity Model Certification (CMMC)  understanding the scope/depth of the requirements.

Our team can assist with your assessment and remediation by mapping your existing policies and controls to evaluate compliance with NIST 800-171 requirements:

  • A compliance mapping NIST 800-171 detailing weaknesses and conformance
  • A risk assessment of your processes, systems, and assets against NIST 800-171 specific controls
  • A Plan of Actions and Milestones (POAM) detailing tasks and milestones for compliance
  • A System Security Plan (SSP) demonstrating how your organization meets the requirements.
  • An audit to validate compliance and identify any deficiencies.

Contact us for a free preliminary assessment to understand your gaps and deficiencies related to NIST 800-171 compliance.

NIST 800-171 Compliance Checklist

If your organization hasn’t reached NIST 800-171 compliance or there are concerns about potential gaps, how do you start? Understanding what is required to meet DFARS 252.204-7012 or NIST 800-171 compliance can be a challenging. Our team has developed a checklist towards NIST 800-171 compliance:

1. Check NIST 800-171 and DoD Contracts

Review any DoD contracts signed after December 31, 2017, to determine if DFARS 252.204-7012 was a requirement.

2. Access to Controlled Unclassified Information (CUI)

Identify if you have or will have access to Controlled Unclassified Information (CUI). As defined above, CUI is information that requires safeguarding but is not considered classified.

Categories of CUI are defined by National Archives and Records Administration. However, the categories are broad and the span of what could be considered CUI is unclear, meaning that there is a significant amount of information that may be defined as CUI. More information on CUI can be found at the following page: National Archives CUI.

3. Review the Requirements of NIST 800-171 Controls

Review the requirements of NIST 800-171. The publication provides requirement guidelines  to 14 key information security areas or “control families.”. These control families that make up the NIST 800-171 are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Each control family is then broken down into one or more Basic security requirements and multiple Derived requirements. The NIST 800-171 basic security requirements are mapped from the Federal Information Processing Standards (FIPS) Publication 200. The derived security requirements, which supplement the basic security requirements, are from the security controls in NIST 800-53.

The combination of these controls and the mappings in NIST 800-171 are provided to show what is required for nonfederal systems to better manage the security of CUI while not providing overly rigorous requirements that are required for federal systems. Ultimately, the intent of the control families in NIST 800-171 is to provide the level of security needed to control information for nonfederal systems while removing controls that are necessary for Federal systems but not needed outside of the government.

More information on NIST 800-171 can be found here: NIST Special Publication

4. Evaluate your IT systems

Evaluate your IT systems, networks, and applications as you assess how you would receive the information, how the information would be processed, how it would be accessed, managed, and stored, and how it would be transferred. This will help define the boundaries of what systems would be in scope.

5. Perform a NIST 800-171 Gap Analysis

Perform an assessment to evaluate existing NIST 800-171 compliance. An assessment (NIST 800-171 Gap Analysis) can be done internally or by using an external provider. The assessment should include:

  • a review of existing policies and business processes,
  • a technical  evaluation of systems, applications, and networks to understand vulnerabilities and security controls, and
  • a review of data and assets.

The assessment should look at both risks as well as gaps in compliance. Why is it important to identify risks? Performing an assessment from a risk-based perspective will help you understand how you will manage security controls regardless of system changes to ensure your team understands how to achieve NIST 800-171 compliance long term.

6. Document Gaps and Create a Plan of Action and Milestones (NIST 800-171 Documentation)

After an assessment is performed, there should be documentation of gaps and how remediation will begin, which is captured in a Plan of Action and Milestones (POAM). The POAM details tasks and milestones for compliance (basically a listing of gaps and your plan for remediation with commitments on a timeline).

7. Develop a System Security Plan (NIST 800-171 Documentation)

Additional documentation includes your System Security Plan (SSP), which documents how your organization meets the cybersecurity requirements. The SSP is an evolving plan that acts as your roadmap for meeting the requirements as well as any deficiencies and plans to address them. It details system boundaries, system interconnections, and key devices.

The SSP should be easily understood, clearly stated, and specific so that each control is defined as implemented, has a plan for implementation, or is identified as not applicable. The SSP should be updated frequently as a living document depicting your organization’s level of NIST 800-171 compliance and cybersecurity plan.

8. Undertake Remediation

After you have defined your weaknesses (POAM) and how your organization handles security (SSP) to meet NIST 800-171 compliance, start working on remediation. Update both your POAM and SSP periodically at key status points throughout the effort.

9. Consider a NIST 800-171 Audit

While not required, we recommend a NIST 800-171 audit to validate compliance and identify any deficiencies during your remediation efforts or at least post-remediation. Ongoing audits or reviews will help keep your plan updated and help with ongoing NIST 800-171 compliance.

10. Keep up with NIST Compliance and Incident Reporting

Remember that ongoing compliance is needed, as there is a requirement to rapidly respond to an incident. If there is an incident, you need to evaluate the situation through a thorough review, collect data, and resolve the incident. Incidents must be reported to DoD without delay.

Need more information about NIST and how to achieve compliance?

Contact us for a free preliminary assessment to understand your gaps and deficiencies related to NIST 800-171 compliance.

What is NIST 800?

NIST 800 is a series of documents that relate to the federal government computer security policies, procedures and guidelines. This includes cyber security, system requirements, and information security policies. NIST 800 is often used to reference NIST 800-53 or Special Publication NIST 800-171, which is in response to Executive Order 13556.

What is NIST 800-171?

NIST 800-171 is the guideline for protecting Controlled Unclassified Information outside of a federal agency or system. NIST 800-171 compliance is mandatory for organizations that hold controlled unclassified information within an internal system or a system in which they maintain control or oversight. This includes email, file sharing, etc. and, includes the storage, access, transfer, or governance of information that, while not classified, must be controlled due to its sensitivity.

What is CUI?

CUI is Controlled Unclassified Information. Executive Order 13556 established the CUI program, which is a system that standardizes and simplifies the way unclassified information should be handled. Information that is not classified but is sensitive should be safeguarded through well-defined controls that are consistent with applicable laws, regulations, and government-wide policies to protect the release or dissemination of information from unintended access or use.

How do I become NIST 800-171 compliant?

NIST 800-171 compliance requires an understanding of what information is considered to be CUI and identification of the systems as well as parties that have access to this data. An organization ultimately needs to understand the NIST 800-171 requirements. Our qualified NIST Consultants can show you how to successfully prepare for, and achieve compliance with the NIST Standards, and strategically support your information security goals and objectives.

As practitioners and NIST subject matter experts, our team brings a unique capability of technical understanding, implementation and application practice; and operational management that provides our partners with exceptional support for their mission and Federal customer mandates.

Our team of consultants and information security practitioners comprehend the operational and technological requirements of the latest DFARS 252.204-7012 mandate requiring compliance with NIST Special Publication 800-171 (NIST Standards) for contractors that access and process controlled unclassified information (CUI) or covered defense information (CDI). As a Federal Contractor too, our team understands the necessity in maintaining information to technical and compliance controls. Our clients look to our Information Security Consultant Services for valued support of their key initiatives in the areas of information security and cyber threats.

When is the DFARS 252.204-7012 required?

They were required to be implemented by December 31, 2017. However, this is a DFARS requirement that is specific to a contract that contains CUI. If your organization has not had access to CUI, then this may be a new requirement. If you are past due in meeting this requirement or have a new contract with this clause, then you will need to start on your path towards NIST 800-171 compliance immediately.