What Is NIST 800-171? What Do I Need To Do? How Is It Tied To CMMC?
Editor's note: This article was originally published in August 2019, but has been completely updated and revamped for accuracy and comprehensiveness.
Protecting data is vital for all organizations, including the federal government.
Companies that work with the government are required to meet standards and guidelines to ensure that data and records are protected. In some cases, that information may be categorized as secret, top-secret or classified. But there is sensitive information that doesn’t fall into those categories.
NIST 800-171 provides a framework for protecting controlled unclassified information (CUI).
I’ve worked in IT for over 15 years. In this article, I'll explain NIST 800-171, whether it applies to your organization, what you need to do, and how it ties to the Department of Defense (DoD) Cybersecurity Maturity Model Compliance (CMMC) standards.
In my role at Kelser Corporation, a managed IT support provider, I’ve answered questions from business leaders just like you about these topics. I’ve also heard people say, “I know I have to be compliant, but I’m not sure what that means.”
In this article, we’ll walk through it together.
What Is NIST 800-171?
In 2003, FISMA (the Federal Information Security Management Act) was enacted. Shortly after, the National Institute of Standards and Technology (NIST) created Special Publication 800-171 to provide a framework for protecting CUI.
What Is CUI?
CUI is unclassified information that is created or possessed by the U.S. Government or an entity on behalf of the Government that, being relevant to the interests of the United States, requires safeguarding from unauthorized disclosure.
Examples include design diagrams or technical drawings for parts to be made specifically for products to be provided to the federal government or personally identifiable information (PII) used in the performance of federal government contracts.
For certain government agencies, most notably the DoD, GSA (General Services Administration), and NASA (National Aeronautics and Space Administration), a revised set of rules for NIST compliance took effect in 2017.
Prior to this, every agency had its own unique set of rules for data handling, safeguarding, and disposal. These inconsistent standards posed a challenge - and a potential security concern - when information needed to be shared, especially when multiple contractors became part of the process.
Do I Need To Comply?
The standards outlined in NIST 800-171 must be met by anyone who processes, stores or transmits CUI for the DoD, GSA or NASA, and other federal or state agencies, including subcontractors.
What Happens If I Don’t Comply?
Failure to comply could affect your ability to work with these agencies, including the termination of contracts and damaged business relationships.
What Do I Need To Do?
The process for becoming compliant with the NIST 800-171 standards may take a significant amount of time to implement (at least 6 months), but given the cost of non-compliance, it is well worth the effort.
Achieving NIST 800-171 compliance may require diving deep into your networks and procedures to ensure appropriate protections are in place. (This is in addition to the layers of general cybersecurity protection your organization has in place.)
Contractors who need access to CUI must implement, verify compliance, and create security protocols for 14 key areas:
1. Access Control
Who is authorized to access this data, and what permissions (read-only, read and write, etc.) do they have?
2. Awareness and Training
Are users properly trained in their roles involving how to properly secure this data and the systems it resides on?
3. Audit and Accountability
Are accurate records of system and data access and activity kept and monitored? Can violators be positively identified?
4. Configuration Management
How are your systems standardized? How are changes monitored, approved, and documented?
5. Identification and Authentication
How are users positively identified prior to obtaining access to this information?
6. Incident Response
What processes are followed when security events, threats, or breaches are suspected or identified?
How is this information secured and protected against unauthorized access during maintenance activities?
8. Media Protection
How are electronic and hard copy records and backups stored securely?
9. Physical Protection
How is unauthorized physical access to systems, equipment, and storage prevented?
10. Personnel Security
How are individuals screened prior to granting them access to CUI?
11. Risk Assessment
How are business risks and system vulnerabilities associated with handling this information identified, tracked, and mitigated?
12. Security Assessment
How effective are current security standards and processes? What improvements are needed?
13. System and Communications Protection
How is information protected and controlled at key internal and external transmission points?
14. System and Information Integrity
How is this information protected against such threats as software flaws, malware, and unauthorized access?
What Is CMMC And How Does It Connect To NIST 800-171?
NIST 800-171 provides a set of standards for protecting and distributing sensitive CUI material and tracks progress toward implementing cybersecurity measures and processes.
Cybersecurity Maturity Model Certification (CMMC) is the next step in compliance requirements for defense contractors and subcontractors.
It is designed to provide increased assurance that U.S. Defense Industrial Base (DIB) organizations are meeting these requirements for protection of CUI and federal contract information (FCI).
What Is FCI?
FCI is information provided by or generated for the U.S. Government under contract that has not been or is not intended for public release.
The Department of Defense (DoD) introduced CMMC in 2019, followed by CMMC 1.0 in early 2020. A new version known as CMMC 2.0 is expected to begin showing up in contracts as early as May 2023.
What Does CMMC Require?
CMMC requires self or third-party assessments of government contractors and subcontractors to determine their level of compliance with the requirements outlined in CMMC.
Your organization’s ability to meet foundational (Level 1), advanced (Level 2), or expert (Level 3) standards associated with CMMC 2.0 will determine your eligibility to compete for various government contracts.
Organizations will be required to self-assess and self-attest annually for Level 1 certification.
An external, third-party assessment every three years will determine if an organization can be certified for CMMC Level 2 or 3.
A failed CMMC assessment could potentially lead to lost contracts, loss of revenue, and even business closure.
After reading this article, you have a full understanding of NIST 800-171. You know what it is, what you need to do, what happens if you don’t comply, the 14 points and how it ties to CMMC.
As a next step ask yourself the following questions:
- What potential vulnerabilities exist?
- How can these gaps be closed?
- What kind of training is still needed for managers, employees, and clients?
- How can your organization continue to be compliant?
Your organization may or may not need help implementing effective solutions.
If you have a large internal IT staff, you may have all of the resources you need to ensure the safety of your organization’s work with CUI and FCI.
If you don’t have a full in-house IT team, you may want to explore working with an external IT provider who has the skills and staff to guide and advise you.
Managed IT support solutions help organizations like yours adopt many of the requirements outlined in NIST 800-171 and prepare for CMMC certification.
We know managed IT isn’t right for every organization. We publish articles like this one so that business leaders like you have the information you need to keep your data and infrastructure safe, whether you choose to work with us or not.
Learn more about managed IT here or read this article to learn whether managed IT services are a good solution for small & medium businesses.
Wondering if managed IT is a good solution for your business? Take the short quiz below to find out.