NIST 800 Consulting – Special Publication 800-171
At ITG Consulting Services, our team of NIST consultants and information security practitioners comprehend the operational and technological requirements of the latest DFARS 252.204-7012 mandate requiring compliance to NIST Special Publication 800-171 (NIST Standards) for contractors that access and process controlled unclassified information (CUI) or covered defense information (CDI). As a Federal Contractor and valued partner, our team understands the necessity in maintaining information to technical and compliance controls. Our clients look to our Information Security Consultant Services for valued support to their key initiatives in the areas of information security and cyber threat.
The Defense Federal Acquisition Regulations Supplement (DFARS) are the Department of Defense’s (DOD) supplemental regulations of the Federal Acquisition Regulations (FAR). The DFARS primarily focus on DoD-wide policy, laws, deviations from FAR requirements, and DoD specific delegations of FAR requirements. Overseen by the Defense Acquisition Regulations System (DARS) Office, the primary mission is to develop and manage the guidelines and rules for acquisition in regards to services for the DOD.
NIST Standards Requirements
The mandate for the NIST Special Publication 800-171 requirement is in DFARS 252.204-7012, which specifically addresses “safeguarding covered defense information and cyber incident reporting”. The scope of this mandate addresses the requirement for Government contractors and subcontractors to establish and maintain safeguards (network security) that provide security in information that resides or is transmitted through contractor systems.
Driven by Executive Order 13556 (November 4, 2010), which established a CUI Program, the NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations) provides principle guidelines to a government-wide requirement for CUI.
NIST Security Areas
The publication provides key requirement guidelines to 14 key information security areas within the NIST Standards:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Any contractor doing business with the Federal government, which handles this type of information, is required to demonstrate the security controls and be compliant to the requirements of this publication. A complete list of CUI categories can be found at the National Archives website.
ITG is knowledgeable and experienced in Information Security and Information Assurance practices and Information Security Consultant Services, including industry quality standards such as the International Organization for Standardization’s (ISO) – ISO/IEC 27001:2013 – Information Security Management Systems. Our team is familiar with the requirements of the NIST 800-171 publication, as well as the requirements and application of information systems and security control practices.
As practitioners and NIST consultant experts, our team brings a unique capability of technical understanding, implementation and application practice; and operational management that provides our partners with exceptional support to their mission and Federal customer mandates.
NIST Consulting Services
Understanding what is required to meet DFARS 252.204-7012 or NIST 800-171 Standards compliance can be a challenging. Our team will assist with mapping your policies and controls to the NIST 800-171 requirements to provide:
- A compliance matrix mapping ISO 27001 and NIST 800-171
- A risk assessment against NIST 800-171
- A POAM detailing tasks and milestones for compliance
- A System Security Plan demonstrating how your organization meets the requirements
- An audit to validate compliance and identify any deficiencies
Looking for more information about NIST and how to achieve compliance?
What is NIST 800?
NIST 800 is a series of documents that relate to the federal government computer security policies, procedures and guidelines. This includes cyber security, system requirements, and information security policies. NIST 800 is often used to reference NIST 800-53 or Special Publication NIST 800-171, which is in response to Executive Order 13556.
When must the requirements in DFARS clause 252.204-7012 be implemented?
They were required to be implemented by December 31, 2017. However, this is a DFARS requirement that is specific to a contract that contains CUI. If your organization has not had access to CUI, then this may be a new requirement. If you are past due in meeting this requirement or have a new contract with this clause, then you will need to implement NIST 800-171. We recommend understanding how your organization meets this clause prior to it becoming a requirement.
What is NIST 800-171
NIST 800-171 is the guideline for protecting Controlled Unclassified Information outside of a federal agency or system. NIST 800-171 must be implemented for organizations that hold controlled unclassified information within an internal system or a system in which they maintain control or oversight. This includes email, file sharing, etc. and includes the storage, access, transfer, or governance of information that while not classified, must be controlled due to its sensitivity.
How do I become NIST compliant?
In order to become NIST compliant, you need to understand what information is considered to be CUI and identify the systems as well as parties that have access to this data. An organization ultimately needs to understand the NIST 800-171 requirements. Our qualified NIST Consultants can show you how to successfully prepare for, and achieve compliance to the NIST Standards, and strategically support your information security goals and objectives.
Contact us to understand your gaps and deficiencies related to NIST 800-171
What is CUI?
CUI is Controlled Unclassified Information. Executive Order 13556 established the CUI program, which is a system that standardizes and simplifies the way unclassified information should be handled. Information that is not classified but sensitive should be safeguarded through well-defined controls that are consistent with applicable laws, regulations, and government-wide policies to protect the release or dissemination of information from unintended access or use.