Everything You Need to Know About NIST 800-171
Improving record keeping and data handling is critical to keeping the trust of partners, vendors, contractors, and customers. The importance is magnified when the federal government is involved, with the goal of creating a national culture of cybersecurity that protects the information of our businesses, citizens, and government.
The National Institute of Standards and Technology (NIST) created Special Publication 800-171 to help protect Controlled Unclassified Information.
But what does that actually look like? How will you know you’re meeting the standards laid out in NIST 800-171? What is CUI?
What is Controlled Unclassified Information (CUI)?
Before we go into NIST 800-171, we should discuss exactly what constitutes Controlled Unclassified Information, or CUI. Simply put, CUI is information that is sensitive and relevant to the interests of the United States, but not strictly regulated by the Federal government.
According to the National Archives and Records Administration, the Executive Agent charged with creating and implementing standards for unclassified data and overseeing agency compliance, CUI is considered any potentially sensitive, unclassified data that requires controls in place which define its proper safeguarding or dissemination. It must be “consistent with applicable law, regulations and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.”
Each agency must create a public registry of CUI categories and subcategories for handling all sensitive, unclassified information and defining why it is considered CUI. For instance, the “Financial” category includes the subcategories of bank secrecy, budgets, contractor registration, electronic funds transfers and mergers. All items in this category are related to the duties of financial institutions and U.S. fiscal functions. Patent-related CUI can cover applications, inventions and security orders, and defining the process of why patents are granted and some information is protected.
What is NIST 800-171?
NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It is essentially a set of standards that define how to safeguard and distribute material deemed sensitive but not classified.
NIST 800-171 was developed after FISMA (Federal Information Security Management Act) was passed in 2003, resulting in several security standards and guidelines. It was created in part to improve cybersecurity, especially after numerous well-documented breaches in the last few years, including USPS (U.S. Postal Service) and NOAA (National Oceanic and Atmospheric Administration). The primary reason, according to the National Institute of Standards and Technology, is “a national imperative” to make sure unclassified information that isn’t part of federal information systems and organizations is properly protected and consistent. Doing so helps the federal government “successfully carry out its designated missions and business operations.”
For certain government agencies, most notably the DoD (Department of Defense), GSA (General Services Administration) and NASA (National Aeronautics and Space Administration), a revised set of rules for NIST compliances took effect on December 31, 2017, requiring anyone who works with CUI from those agencies to implement specific security measures for how they handle data and report non-compliance to the agencies CIO. Under federal regulations, such as DFARS clause 252.204-7012, every affected company and agency is now required to assess and document their compliance in handling this info in more than a dozen areas, from the way their networks are configured, to the way any and all media is protected, to the way employees receive access to the NIST 800-171 standard.
Prior to these requirements, every agency had a unique set of rules for data handling, safeguarding and disposing of this material. These inconsistent standards posed a challenge - and a potential security concern - when information needed to be shared, especially when multiple contractors become part of the process.
Compliance with NIST 800-171
These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoD, GSA or NASA and other federal or state agencies. This includes contractual agency relationships. Achieving NIST 800-171 compliance may require diving deep into your networks and procedures to make sure appropriate security procedures are properly addressed. Failure to comply could affect any dealings with these agencies, including severances of contracts. If you missed the deadline, you could be at risk of losing contracts or damaging relationships.
The process for becoming compliant with the standards set out in NIST 800-171 may take a significant amount of time to implement (6-8 months), but there are some cybersecurity practices you can put in place right away to protect your business and your data.
The 14 Points of NIST 800-171
Contractors who need access to CUI must implement and verify compliance and create security protocols for 14 key areas. This list is provided from our security partner, Foresite:
- Access Control: Who is authorized to view this data?
- Awareness and Training: Are people properly instructed in how to treat this info?
- Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified?
- Configuration Management: How are your networks and safety protocols built and documented?
- Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access?
- Incident Response: What’s the process if a breach or security threat occurs, including proper notification.
- Maintenance: What timeline exists for routine maintenance, and who is responsible?
- Media Protection: How are electronic and hard copy records and backups safely stored? Who has access?
- Physical Protection: Who has access to systems, equipment and storage environments?
- Personnel Security: How are employees screened prior to granting them access to CUI?
- Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?
- Security Assessment: Are processes and procedures still effective? Are improvements needed?
- System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points?
- System and Information Integrity: How quickly are possible threats detected, identified and corrected?
We’ve studied the ins and outs of this federal mandate, and we’re eager to help companies who are behind the curve achieve compliance, answering questions such as:
- What potential vulnerabilities exist?
- How can these gaps be closed?
- What kind of training is still needed for managers, employees and clients?
- How to continue to be compliant?
Don't wait to get started. It can take months to become fully compliant - not to mention providing your partners and contractors the peace of mind knowing that their information is safe with you. Start with a solid baseline of knowing where you stand and what your company's cybersecurity practices currently are. For some best practices you can start to implement today, download the guide: 10 Simple Things You Can Do to Improve Your Company's Cybersecurity Posture.