NIST 800-171 Compliance

NIST 800-171 Compliance: What does this mean for Federal Contractors?

Contractors that work with the DoD and have access to and will handle controlled unclassified information on their information systems are required to become NIST 800-171 compliant. Although NIST 800-171 compliance was required as of December 31, 2017, many contractors may not be fully compliant or are now understanding the depth of the requirements.

The government requires NIST 800-171 compliance to protect Federal information not maintained on a government information system. Federal information systems follow NIST 800-53. This NIST SP 800-53 provides the security controls and associated assessment procedures defined in NIST SP 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations. Prior to NIST 800-171, there was limited guidance on how non-Federal information systems should be controlled to handle information that was not classified but should be protected.

NIST 800-171 DFARS

The Defense Federal Acquisition Regulations Supplement (DFARS) are the Department of Defense’s (DOD) supplemental regulations of the Federal Acquisition Regulations (FAR). The NIST 800-171 DFARS primarily focus on DoD-wide policy, laws, deviations from FAR requirements, and DoD specific delegations of FAR requirements. Overseen by the Defense Acquisition Regulations System (DARS) Office, the primary mission is to develop and manage the guidelines and rules for acquisition in regard to services for the DOD.

NIST 800-171 Compliance Requirements

The mandate for the NIST Special Publication 800-171 requirement is in DFARS 252.204-7012, which specifically addresses “safeguarding covered defense information and cyber incident reporting”. The scope of this mandate addresses the NIST Requirement for Government contractors and subcontractors to establish and maintain safeguards (network security) that provide security in information that resides or is transmitted through contractor systems.

NIST 800-171 CUI

Driven by Executive Order 13556 (November 4, 2010), which established a CUI Program, the NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations) provides principle guidelines to a government-wide requirement for CUI. Any contractor doing business with the Federal government, which handles this type of information, is required to demonstrate the security controls and be compliant to the NIST 800-171 compliance requirements of this publication. A complete list of CUI categories can be found at the National Archives website.

NIST 800-171 Compliance Checklist

If your organization hasn’t reached NIST 800-171 compliance or there are concerns about potential gaps, how do you start? Understanding what is required to meet DFARS 252.204-7012 or NIST 800-171 compliance can be a challenging. Our team has developed a checklist towards NIST 800-171 compliance:

1. NIST 800-171 and DoD Contracts

Review any DoD contracts signed after December 31, 2017 to determine if DFARS 252.204-7012 was a requirement

2. Access to Controlled Unclassified Information (CUI)

Identify if you have or will have access to controlled unclassified information (CUI). CUI is defined as is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified.

Categories of CUI are defined by National Archives and Records Administration. However, the categories are broad and the span of what could be considered CUI is unclear, meaning that there is a significant amount of information that may be defined as CUI. More information on CUI can be found at https://www.archives.gov/cui/about.

3. Review the Requirements of NIST 800-171 Controls

Review the requirements of NIST 800-171. The publication provides key requirement guidelines to 14 key information security areas. The security requirements in NIST 800-171 consists of

  • a basic security requirements section and
  • a derived security requirements section.

NIST 800-171 basic security requirements are obtained from FIPS Publication 200. The derived security requirements, which supplement the basic security requirements, are from the security controls in NIST 800-53. The combination of these controls and the mappings in NIST 800-171 are provided to show what is required for nonfederal systems to better manage the security of CUI while not providing overly rigorous requirements that are required for federal systems. Ultimately, the intent of the control families in NIST 800-171 is to provide the level of security needed to control information for nonfederal systems while removing controls that are necessary for Federal systems but not needed outside of the government. The security families in the NIST 800-171:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

More information on NIST 800-171 can be found at NIST here:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

4. Evaluate your IT systems

Evaluate your IT systems, network, and applications as you assess how you would receive the information, how the information would be processed, how it would be managed, and stored, and how it would be transferred. This will help define the boundaries of what systems would be in scope.

5.  NIST 800-171 Gap Analysis

Perform an assessment to evaluate existing NIST 800-171 compliance. An assessment (NIST 800-171 Gap Analysis) can be done internally or by using an external provider. The assessment should include a review of existing policies and business processes, a technical evaluation of systems, applications, and networks to understand vulnerabilities and security controls, and a review of data and assets.

The assessment should look at both risks as well as gaps in compliance. Why is it important to identify risks? Performing an assessment from a risk-based perspective will help you understand how you will manage security controls regardless of system changes to ensure your team understands how to achieve NIST 800-171 compliance long term.

6. NIST 800-171 Documentation – Plan of Action and Milestones

After an assessment is performed, there should be documentation of gaps and how remediation will begin, which is captured in a Plan of Action and Milestones (POAM). The POAM details tasks and milestones for compliance. The POAM is basically a listing of gaps and your plan for remediation with commitments on timeline.

7. NIST 800-171 Documentation – System Security Plan

Additional documentation includes your System Security Plan (SSP), which demonstrates how your organization meets the requirements. The SSP is an evolving plan that is provides valuable guidance on how your organization handles cybersecurity. The SSP acts as your roadmap for meeting the requirements as well as any deficiencies and plans to address them. It details system boundaries, system interconnections, and key devices. The SSP should be easily understood, clearly stated, and specific so that each control is defined as either implemented, has a plan for implementation, or why it is not applicable. The SSP should be updated frequently as a living document depicting your organization’s level of NIST 800-171 compliance and cybersecurity plan.

8. Remediation

After you have defined your weaknesses (POAM) and how your organization handles security (SSP) to meet NIST 800-171 compliance, start working on remediation.

9. NIST 800-171 Audit

While not required, we recommend a NIST 800-171 audit to validate compliance and identify any deficiencies during or at least post remediation. Ongoing audits or reviews will help keep your plan updated and help with ongoing NIST 800-171 compliance.

10. NIST Compliance and Incident Reporting

Remember that ongoing compliance is needed, as there is a requirement to rapidly respond to an incident. (c) Cyber incident reporting requirement. If there is an incident, you need to evaluate the situation through a thorough review, collect data, and resolve the incident. Incidents must be rapidly reported to DoD at http://dibnet.dod.mil.

NIST SP 800-171 Compliance Consultant

If you need help getting started, it will save time and budget to use a consultant to assist with the initial assessment. ITG is knowledgeable and experienced Consultant in Cybersecurity Compliance and Information Assurance practices, including industry standards such as the International Organization for Standardization’s (ISO) – ISO/IEC 27001:2013 – Information Security Management Systems and NIST cybersecurity requirements, the 800 series, and the Risk Management Framework.

Our team can assist with your assessment and remediation by mapping your existing policies and controls to the NIST 800-171 requirements:

  • A compliance mapping NIST 800-171 detailing weaknesses and conformance (step 5)
  • A risk assessment of your processes, systems, and assets against NIST 800-171 specific controls (step 5)
  • A POAM detailing tasks and milestones for compliance (step 6)
  • A System Security Plan demonstrating how your organization meets the requirements (step 7)
  • An audit to validate compliance and identify any deficiencies (step 9)

Need more information about NIST and how to achieve compliance?

Contact us for a free preliminary assessment to understand your gaps and deficiencies related to NIST 800-171 compliance





What is NIST 800?

NIST 800 is a series of documents that relate to the federal government computer security policies, procedures and guidelines. This includes cyber security, system requirements, and information security policies. NIST 800 is often used to reference NIST 800-53 or Special Publication NIST 800-171, which is in response to Executive Order 13556.

When is the DFARS 252.204-7012 required?

They were required to be implemented by December 31, 2017. However, this is a DFARS requirement that is specific to a contract that contains CUI. If your organization has not had access to CUI, then this may be a new requirement. If you are past due in meeting this requirement or have a new contract with this clause, then you will need to  start on your path towards NIST 800-171 compliance immediately.

What is NIST 800-171

NIST 800-171 is the guideline for protecting Controlled Unclassified Information outside of a federal agency or system. NIST 800-171 compliance is mandatory for organizations that hold controlled unclassified information within an internal system or a system in which they maintain control or oversight. This includes email, file sharing, etc. and includes the storage, access, transfer, or governance of information that while not classified, must be controlled due to its sensitivity.

How do I become NIST 800-171 compliant?

NIST 800-171 compliance requires an understanding what information is considered to be CUI and identify the systems as well as parties that have access to this data. An organization ultimately needs to understand the NIST 800-171 requirements. Our qualified NIST Consultants can show you how to successfully prepare for, and achieve compliance to the NIST Standards, and strategically support your information security goals and objectives.

As practitioners and NIST subject matter experts, our team brings a unique capability of technical understanding, implementation and application practice; and operational management that provides our partners with exceptional support to their mission and Federal customer mandates.

Our team of consultants and information security practitioners comprehend the operational and technological requirements of the latest DFARS 252.204-7012 mandate requiring compliance to NIST Special Publication 800-171 (NIST Standards) for contractors that access and process controlled unclassified information (CUI) or covered defense information (CDI). As a Federal Contractor and valued partner, our team understands the necessity in maintaining information to technical and compliance controls. Our clients look to our Information Security Consultant Services for valued support to their key initiatives in the areas of information security and cyber threat.

What is CUI?

CUI is Controlled Unclassified Information. Executive Order 13556 established the CUI program, which is a system that standardizes and simplifies the way unclassified information should be handled. Information that is not classified but sensitive should be safeguarded through well-defined controls that are consistent with applicable laws, regulations, and government-wide policies to protect the release or dissemination of information from unintended access or use.