Do you currently have contracts with the United States Department of Defense (DoD), or are you a subcontractor to a prime contractor with DoD contracts? If so, your organization must comply with the National Institute of Standards and Technology’s latest framework, NIST 800-171.
NIST 800-171 https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final is designed to provide guidance to non-federal entities- contractors, state governments, federal grant recipients, etc.- to ensure all systems that process, store, or transmit Controlled Unclassified Information (CUI) are secured and hardened when:
- When the CUI resides in nonfederal information systems and organizations.
- When the information systems where the CUI resides is not operated by organizations on behalf of the federal government.
- Where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.
Effective December 31, 2017, government contractors handling sensitive federal information must comply with the NIST 800-171 requirements found in the Defense Federal Acquisition Regulation Supplement. DFARS https://www.nist.gov/mep/dfars-cybersecurity-requirements is a supplement to the Federal Acquisition Regulations (FAR) that provides Department of Defense specific acquisition regulations that DoD government acquisition officials, and those contractors doing business with DoD, must follow in the procurement process for goods and services.
The CUI requirements recommended in 800-171 are derived from Federal Information Processing Standards (FIPS) Publication 200 https://www.nist.gov/information-technology-laboratory/fips-general-information and the moderate security control baseline in NIST 800-53 and based on the proposed CUI regulation (32 CFR Part 2002, Controlled Unclassified Information).
FIPS are publicly announced standards developed by the US Federal government to use in computer systems by nonmilitary government agencies and government contractors. It is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing levels of information security based on levels of risk.
While the deadline to comply has since passed, it’s estimated less than one percent met that deadline. There is currently no certification for NIST 800-171 and instead is based on the honor systems where you self-attest that your organization complies with all requirements of the regulation. This regulation is not to be taken lightly; there’s a lot at stake here. The impact of non-compliance could potentially result in contract termination, criminal fraud, and possibly lawsuits claiming breach of contract.
NIST 800-171 is very descriptive in what needs to be accomplished to meet security compliance around CUI, but it does not advise or prioritize on where to start. 800-171 is very detailed and requires the understanding of 110 controls across 14 categories which helps define exactly what needs to be accomplished. However, it lacks any prescriptive detail of “how” to accomplish compliance success and what should be the priority of those requirements.
Let NNT show you how a single solution addresses one-third of all the security and compliance requirements across the various 14 categories.
NIST 800-171 Security Control Families | |||
AC | Access Control | MP | Media Protection |
AU | Audit and Accountability | PP | Physical Protection |
AT | Awareness and Training | PS | Personnel Security |
CM | Configuration Management | RA | Risk Assessment |
IA | Identification & Authentication | SA | Security Assessment |
IR | Incident Response | SC | System & Communications Protection |
MA | Maintenance | SI | System & Information Integrity |
Speak to a consultant to help you in your NIST 800-171 compliance program today!