NIST Special Publication 800-171
What Is Controlled Unclassified Information (CUI)?
To understand NIST 800-171 and how to become compliant, it's best to know what Controlled Unclassified Information (CUI) entails. The US government has a lot of sensitive information in various databases. Different government vendors, at times, gain access to such data to meet their contractual obligations.
Most of the sensitive data is classified, and only authorized persons can access it. However, there is still a lot of US data that is unclassified but still very sensitive and must be protected. This is what constitutes CUI, data which is sensitive but still not strictly regulated by the federal government.
What is NIST 800-171?
NIST 800-171 refers to a publication by the National Institute of Standards and Technology. It regulates the use of CUI in Non-Federal Information Systems and Organizations. This includes how the information is protected and distributed.
NIST 800-171 was developed to improve cybersecurity standards among government vendors after a series of high-profile breaches. Some of the institutions affected by those breaches include the National Oceanic and Atmospheric Administration (NOAA) and the United States Postal Service (USPS). The regulations were modeled after the Federal Information Security Management Act (FISMA), which was passed in 2003.
According to NIST, it is imperative for any unclassified data that is part of government databases to be consistent and well-protected to ensure the federal government can carry out operations successfully.
In 2017, there was a revised set of NIST certification requirements released. This was specifically targeted to vendors who work with CUI from specific government agencies such as the Department of Defense (DoD), General Service Administration (GSA), and the National Aeronautics and Space Administration (NASA).
With this update, vendors are required to implement a specific set of security measures. Non-compliance should also be reported to the agency's CIO. Each contractor and government agency is also required to assess and document their compliance levels in multiple areas such as network configuration, how staff gain access to the NIST 800-171 standard, and how various media is protected, among others.
With NIST 800-171, compliance requirements are uniform for government vendors. Before this, each agency used its own regulations as to how to handle and dispose of CUI. This resulted in many challenges, especially when multiple vendors required the same set of data.
Key Areas of NIST 800-171 Compliance
Any vendor that handles controlled unclassified data has 110 items to adhere to in order to become NIST-compliant. However, these items can be compressed into 14 crucial areas that all vendors with access to CUI need to develop security frameworks around.
Not all these requirements are IT-related, but implementation will entail a combination of:
The fourteen compressed categories that you need to observe under NIST DFARS include:
- Access Control - This involves limiting access to authorized personnel only.
- Awareness and Training - Ensure that everyone on your team is trained on how to handle such data.
- Audit and Accountability - Maintain records of both authorized and unauthorized access. This will make it easy to identify violators.
- Configuration Management - Ensure your networks and safety protocols are built and documented in an ideal fashion.
- Maintenance - Create timelines for routine maintenance and assign the responsibility to specific personnel.
- Identification and Authentication - Set up methods of identifying and verifying authorized users before they gain access to CUI.
- Incident response - Outline procedures for reporting any breach incidents or security threats.
- Physical protection - Control access to equipment, systems, and storage environments.
- Media protection - Ensure that all hard copy records and electronic files and their backups are stored safely and can only be accessed with authorized personnel.
- Risk Assessment - Regularly verify authorizations and test your defenses with simulations of a breach.
- Personnel Security - Come up with procedures to screen personnel before they are granted access to CUI.
- Security assessment - Assess your security measures frequently and make improvements as needed.
- System and information integrity - Test your system's capacity and swiftness to detect, identify, and deal with threats.
- System and communications protection - Ensure that communications are monitored at key internal and external transmission points.
Should You Comply With NIST 800-171?
As a government vendor, compliance with NIST 800-171 is non-negotiable in most cases.
To begin with, taking necessary cybersecurity precautions protects your proprietary information. Also, even if you do not think there is CUI in your systems, precautions are still necessary as failure to comply compromises your contracts and ability to bid for new ones in the future.
How Can VC3 Help?
There are a lot of requirements that you must meet in order to become NIST 800-171 compliant. However, the main challenge comes with maintaining compliance. For this, it is important to work with the right technology partner to assist your IT department in conducting a NIST audit.
Good news: VC3 clients are 70% of the way there on the technical controls since those are already part of our managed IT services process.
At VC3, our main objective is to ensure our clients are not only NIST-compliant but are adequately protected against all forms of breaches. We achieve this by offering managed IT services, security, and consulting.
Contact us today to find out more about how we can help you gain NIST certification and maintain your compliance.