The National Institute of Standards and Technology (NIST) is the U.S. federal agency that’s tasked with protecting sensitive government information that’s stored or handled by third parties, partners, and contractors. Towards this end, the agency published the NIST 800-171 document to give federal partners a standard by which to safeguard confidential information and conduct cybersecurity.
More specifically, NIST 800-171 hones in on how defense contractors and subcontractors handle what’s termed as “controlled, unclassified information,” or CUI. This includes things like personal data, intellectual property, equipment specifications, logistical plans, and any other number of strictly confidential federal defense-related information. In short, NIST 800-171 tells contractors how to handle sensitive information that isn’t officially Classified.
If you’re just getting started with NIST compliance or are preparing for a NIST assessment, then you’re in the right place. We’ll outline what NIST 800-171 actually entails, the benefits of compliance, and best practices for maintaining NIST compliance over the long haul.
- Quick review: What is NIST 800-171?
- The importance and benefits of complying with NIST 800-171
- NIST 800-171 compliance checklist
- NIST 800-171 requirements
- NIST 800-171 best practices
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Quick review: What is NIST 800-171?
The NIST body itself is a non-regulatory U.S. federal agency responsible for establishing guidelines on a variety of topics, including cybersecurity. The NIST 800-171 document is a companion to NIST 800-53 and dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI). It’s also designed specifically for non-federal information systems and organizations.
The origins of NIST 800-171 come from Executive Order 13556 signed by President Obama in 2010, mandating that all U.S. federal agencies safeguard CUI more stringently. The goal was to establish a unified policy for all agencies to follow for data sharing and transparency. After a few notable breaches of governmental agencies, the additional focus was placed on cybersecurity at the federal level.
This led to the passage of the Federal Information Security Modernization Act (FISMA) in 2014, followed by NIST 800-53 and finally NIST 800-171 in 2017. Since then, new iterations and updates to NIST 800-171 continue to be released for the purposes of keeping CUI safeguarded within the federal contractor ecosystem.
What’s the purpose of NIST 800-171?
One primary goal of NIST 800-171 was to standardize how federal agencies define CUI. This was accomplished by categorizing CUI as any data that is private and sensitive but not classified per U.S. federal law. Generally, CUI doesn’t contain things like nuclear launch codes or a list of CIA operatives in foreign countries. It’s more along with lines of personal financial account details or health records that would be covered by the Health Insurance Portability and Accountability Act (HIPAA) privacy rule.
The NIST SP 800-171 framework establishes specific areas of cybersecurity controls that contractors and partners need to implement to a minimum standard. If you, your company, or any other company you do business with has a federal contract then you’re required to be NIST SP 800-171 compliant. It’s true that some federal agencies may include specific control requirements in their contracts. But even if they don’t, just the fact that you’re doing business with a federal agency and potentially handling CUI means that you must comply with NIST 800-171.
To give a more concrete idea of whether or not NIST 800-171 applies to you, here are a few agencies and organizations that typically need to be NIST compliant:
- Contractors for the Department of Defense (DoD)
- Contractors for the General Services Administration (GSA)
- Contractors for the National Aeronautics and Space Administration (NASA)
- Universities and research institutions supported by federal grants
- Consulting companies with federal contracts
- Service providers for federal agencies
- Manufacturing companies supplying goods to federal agencies
The NIST 800-171 documentation also supplies a list of the following controls, along with the corresponding compliance requirements:
- Access controls: Who has access to data and whether or not they’re authorized.
- Awareness and training: Your staff should be adequately trained on CUI handling.
- Audit and accountability: Know who’s accessing CUI and who’s responsible for what.
- Configuration management: Follow guidelines to maintain secure configurations.
- Identification and authentication: Manage and audit all instances of CUI access.
- Incident response: Data breach preparedness and response plan protecting CUI.
- Maintenance: Ensure ongoing security and change management to safeguard CUI.
- Media protection: Secure handling of backups, external drives, and backup equipment.
- Physical protection: Authorized personnel only in physical spaces where CUI lives.
- Personnel security: Train your staff to identify and prevent insider threats.
- Risk assessment: Conduct pen testing and formulate a CUI risk profile.
- Security assessment: Verify that your security procedures are in place and working.
- System and communications protection: Secure your comms channels and systems.
- System and information integrity: Address new vulnerabilities and system downtime.
While it might be overwhelming at first, an experienced NIST compliance partner can help you break things down into chunks and make sure you address each access control area. But when it comes to the core purpose of NIST 800-171, the main thing to remember is the protection of CUI anywhere in the orbit of federal contractors, sub-contractors, and business partners.
The importance and benefits of complying with NIST 800-171
First off, it’s important to comply with NIST 800-171 because it’s a legal requirement to do business with the federal government. This is the case because, should CUI fall into the wrong hands, the ability of the federal government to carry out its ongoing operations could be severely interrupted. For instance, if a federal worker’s CUI is hacked and is then subject to a ransomware attack, it could severely affect the department’s capabilities that they work for.
But NIST 800-171 isn’t solely about the stick -- although there are non-compliance penalties that we’ll discuss. Compliance is actually a huge benefit to organizations because it ensures a strong cybersecurity posture and provides a common framework under which to operate. You’ll improve your overall risk management profile, for instance, reducing the overall risk of data breaches and insider threats. You’ll have a scalable security approach along with data access policy best practices.
Penalties for non-compliance can be quite harsh depending upon the circumstances. If you experience a data breach or hack where CUI is potentially affected, then you’ll likely be investigated and audited by federal officials to determine what went wrong. Aside from the obvious cost associated with both breaches and audits, if you’re found to be non-compliant with NIST 800-171, the government may take one or more of the following steps:
- Pursuing damages for breach of contract
- Damages pursuit under the False Claims Act
- Contract termination due to default of terms
- Suspension or debarment from contractor status
- Financial fines and penalties from the federal government
Varonis helps organizations maintain compliance with NIST 800-171. The Data Classification Engine is the first step to identifying and classifying your CUI across your core data stores. DatAdvantage helps map folders and permissions, with full reporting and auditing on who can and should have access to data. DataPrivilege enables data owners to manage and audit access to their data. Automation Engine streamlines the process to remove Global Access Groups, and Data Transport Engine can quarantine, migrate, or delete unsecured CUI.
NIST 800-171 compliance checklist
In order to gain compliance with NIST 800-171, you’ll need to pass an audit conducted by a certified entity or cybersecurity partner. You’ll need to take several initial steps prior to your audit, and the process doesn’t need to be overly complex or time-consuming. Here is a convenient checklist that will help you get ready for and ensure a smooth NIST audit:
- Identify scope: Take a look at NIST 800-171 and determine the scope of your compliance efforts. Compliance may take a mix of things like additional training, stronger physical access controls, and a media protection process. Also, make any necessary changes to system boundaries to avoid your entire organization being roped into the compliance scope.
- Gather documentation: You won’t be able to pass a NIST 800-171 compliance audit unless you have documentation that all controls and requirements are met. Typically, you’ll need to gather documentation in the following areas prior to an audit: system and network architecture, system boundaries, data flow, personnel, process and procedures, and anticipated changes.
- Gap analysis and review: You’ll also need to see where the gaps are between your current state and being fully NIST 800-171 compliant. Focus on the primary access control requirements and work your way down. Document any design flaws or control gaps so you can make the necessary changes. An experienced NIST partner can help you create the most comprehensive gap analysis possible and system review.
- Develop plans: Once your gap analysis is complete, you can then begin planning on a variety of fronts. First, you’ll want to formulate and document a NIST-compliant overall security plan. Also, create a remediation plan in case CUI is compromised, your response is in alignment with NIST, thereby avoiding penalties. Finally, you’ll want a Plan of Action and Milestones (POAandM) to ensure the entire project stays on track.
- Audit trail evidence: Now you can begin gathering the right documentation and evidence that will be most pertinent to your NIST audit. Identify the audit requirements you’ll be addressing based upon the 14 NIST 800-171 criteria as listed above. And as you make changes towards compliance, you’ll want to produce audit-trail evidence showing what you’ve done and to ensure accountability.
While completing your NIST compliance checklist, you should also continue to understand and implement the specific NIST-800-171 requirements in the most accurate and efficient way possible.
NIST 800-171 requirements
Although we briefly listed all 14 requirements at the outset, you should know and examine each one individually for proper compliance.
1. Access controls
Make sure to limit access to CUI so only authorized individuals and devices can view that data. This covers core IT security aspects such as routers, firewalls, computers, servers, and any devices on your network.
2. Awareness and training
Staff should be educated on cybersecurity risks and best practices. NIST-compliant training also ensures that every individual can fulfill security responsibilities in alignment with their role. They should understand insider threats and how to identify them.
3. Auditing and accountability
All systems in use need to have an audit trail. Implementing an audit trail makes it possible to hold individual actors accountable for data access, viewing, storage, and handling. You’ll therefore know exactly who has accessed CUI, when, and by what means.
4. Configuration management
Any software and hardware should have configurations that focus on creating the most robust cybersecurity measures possible in alignment with NIST requirements. Make sure to maintain this baseline security configuration even as new updates and firmware are released.
5. Identification and authentication
You need to identify every user, device, and process that attempts access to your systems at any given time. Make sure that you have the right technologies and safeguards in place to accurately authenticate identities via methods like biometrics or multi-factor authentication (MFA).
6. Incident response
Make an incident response plan that adequately prepares your teams for incidents. Your organization should detect any intrusions, analyze what’s going on, contain the problem, and bring your systems back up. Also, have documentation and reporting processes that enable collaboration with relevant authorities.
The entirety of your information systems and data storage ecosystem should receive ongoing and proper maintenance. This keeps your cybersecurity posture and NIST compliance up to date and properly protected.
8. Media protection
Organizations handle CUI in a variety of ways, including storage on various media devices like external drives, CDs, and thumb drives. Any media systems or devices containing CUI need NIST-compliant protection, including access controls and processes by which media is sanitized or destroyed.
9. Personnel security
Anyone who accesses CUI must complete a thorough, NIST-compliant screening process. In addition, have procedures in place that protect every individual’s CUI and private data if and when they are discharged or decide to leave on their own volition.
10. Physical protection
Cybersecurity itself isn’t sufficient to comply with NIST 800-171. The physical location of systems or devices needs to be safeguarded in a way that prevents unauthorized on-site access. Rooms with devices or paper files should have access control measures like PIN codes and fingerprint scanners that allow only authorized individuals.
11. Risk assessment
Implement a risk assessment procedure and use it regularly to gauge the specific risk factors that your organization faces from a cybersecurity standpoint. Your CUI may be more susceptible to phishing attacks than ransomware, for instance, so a risk assessment will help point out these vulnerabilities and allow you to better mitigate them for NIST compliance.
12. Security assessment
Evaluate whether or not your current cybersecurity measures are doing their job adequately. A security assessment for NIST will help you understand how robust your current measures are, and if you need to update them based on the current threat environment.
13. System and communications protection
Both external and internal boundaries of your information systems should be properly controlled, monitored, and protected. Things like email and SMS communications on the boundaries are at higher risk, so make sure anytime CUI is transmitted from one person to another, it’s adequately protected or encrypted.
14. System and information integrity
The final NIST requirement centers around protecting your systems from malicious code and malware. You need to find, report, and fix all flaws in your information systems at all times. Monitor security alerts and take swift actions to ensure system and information integrity of CUI.
NIST 800-71 best practices
Not only is it important to be compliant, but you need to be able to demonstrate compliance to avoid having contracts revoked or fines levied. Here are a few best practices to help you get going with NIST compliance and maintain it in the long run.
- Define what CUI you have to manage. You may have guidance from the agency you work with, but you also might also have to determine what CUI means to you. Even if you have no guidance, you should identify and classify all possible PII so you can secure and protect sensitive data from data breaches. Typical CUI includes Social security numbers, bank routing numbers or account numbers, credit card numbers, permanent resident status
- Map your folders and permissions. You should strongly consider implementing a least privilege model for your data. NIST requires that you manage who can access CUI. Implementing a least privilege model ensures only the right people gain access to CUI. You’ll also need to make sure you can adequately report on who has access to CUI, along with specific access instances.
- Audits and alerts of changes in CUI. NIST requires that you monitor CUI and respond to all security incidents. Make sure you can audit all activity around your CUI data, and have technology that alerts you to abnormal activity. And if you do spot access or changes to CUI that seem out of the ordinary, have a process in place to follow the audit trail a verify its validity or take remediation action.
Preparing for NIST compliance and auditing doesn’t need to be an overwhelming endeavor. Experienced cybersecurity and compliance partner like Varonis can guide you through the entire process, from CUI data classification to implementing data protection technology that keeps your CUI safe and your company insulted from potential fines, penalties, and loss of contracts.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.