NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
What is NIST 800-171?
NIST itself is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal agencies on many topics – including cybersecurity. NIST 800-171, a companion document to NIST 800-53, dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI) – it’s designed specifically for non-federal information systems and organizations.
NIST SP 800-171 began its life as Executive Order 13556 signed by President Obama in 2010, directing all Federal agencies to safeguard their CUI and establishing a unified policy for all agencies to follow for data sharing and transparency.
After a few data breaches in Federal agencies, – USPS, NOAA, and OPM – NIST and the Federal government started to focus more on cybersecurity: in 2014 Congress passed FISMA, NIST followed up with NIST 800-53, and later, NIST 800-171.
What’s the Purpose of NIST 800-171?
NIST 800-171 standardizes how federal agencies define CUI: data that is private and sensitive but not classified per federal law. We aren’t talking about the list of BlackOps operating in enemy territories – different laws govern national security stuff – but data that is covered by SOX or HIPAA, for example. Each agency is responsible for providing the details of what kind of data is CUI to the National Archives and Records Administration, the agency charged with enforcement of EO 13556.
NIST SP 800-171 controls apply to federal government contractors and sub-contractors. If you or another company you work with has a contract with a federal agency, you must be compliant with this policy. Federal agencies may include specific requirements in their contracts, however, if you don’t have those clauses in your contract, that won’t stop NIST 800-171 from applying to your agreements.
Here are a few agencies or organizations that need to comply with NIST 800-171.
- Contractors for Department of Defense (DoD)
- Contractors for General Services Administration (GSA)
- Contractors for National Aeronautics and Space Administration (NASA)
- Universities and research institutions supported by federal grants
- Consulting companies with federal contracts
- Service providers for federal agencies
- Manufacturing companies supplying goods to federal agencies
Like NIST 800-53, NIST 800-171 provides a list of controls that explain the compliance requirements.
- Access Control (Who has access and are they supposed to?)
- Awareness and Training (Did you train your staff about CUI?)
- Audit and Accountability (Do you know who is accessing CUI?)
- Configuration Management (Are you following the RMF guidelines to maintain secure configurations and manage change?)
- Identification and Authentication (Are you managing and auditing access to CUI?)
- Incident Response (What happens when there is a data breach?)
- Maintenance (See #4)
- Media Protection (How are backups, external drives, and retired equipment handled?)
- Physical Protection (Who can access the place where your CUI lives?)
- Personnel Security (Is your staff trained to identify insider threats?)
- Risk Assessment (Have you done a risk assessment? Do you have scheduled pentesting exercises?)
- Security Assessment (How do you verify the security procedures are in place?)
- System and Communications Protection (Are your communications channels secure?)
- System and Information Integrity (Is the process to address new vulnerabilities or system down situations defined?)
Benefits of NIST 800-171
Some of the benefits of implementing the NIST 800-171 controls include:
- Risk management
- Best practices for data access policies
- A common framework and methodology for managing risk
- Scalable security approach to protecting sensitive data
Varonis helps maintain compliance with NIST 800-171: the Data Classification Engine is the first step to identify and classify your CUI across your core data stores (including email). DatAdvantage helps map folders and permissions, with full reporting and auditing on who can (and who should access that data), while DataPrivilege enables data owners to manage and audit access to their data. Automation Engine streamlines the process to remove Global Access Groups, and Data Transport Engine can quarantine, migrate, or delete unsecured CUI.
NIST 800-171 Compliance Best Practices
Not only is it important to be compliant, but you need to be able to demonstrate compliance to avoid having contracts revoked or fines levied. Follow these steps to get started:
- Define what CUI you have to manage. You might have guidance from the agency you work with, but you might also have to figure out what applies to you on your own. Even if you have no guidance, you should identify and classify all possible PII so you can secure and protect sensitive data from data breaches.
Examples of CUI: Social security numbers, bank routing numbers or account numbers, credit card numbers, permanent resident status
- Map your folders and permissions and implement a least privilege model for your data. NIST requires that you manage who can access CUI: implement a least privilege model to get there, and make sure you can report on who can – and who does – access CUI data.
- Audit and alert on changes made to your CUI. NIST requires that you monitor CUI and respond to security incidents. Make sure you can audit all activity on your CUI data, and alert on abnormal activity.
- Get in touch with our Federal Team to see how Varonis maps to NIST in your environment – and how Varonis helps you get to (and maintain) NIST compliance.
Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.