NIST 800-171 Compliance: What you need to know

What is NIST 800-171 Compliance?

The National Institute of Standards and Technology (NIST) is the U.S. federal agency tasked with the development and use of cybersecurity standards for sensitive federal government information stored or handled by the federal government, third parties, partners, and contractors. The agency published the NIST 800-171 document to give federal partners a standard for safeguarding Controlled Unclassified Information on non-federal information systems.

NIST SP 800-171, or just 800-171, details the requirements any federal department or agency selects from for any non-federal information system to follow to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. New iterations and updates to NIST 800-171 are continually released to keep cybersecurity controls current with emerging threats and continue to safeguard CUI = within the federal contractor ecosystem. The exact requirements for NIST SP 800-171 revision 2 can be found at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf, and revision 3 is expected to be finalized at the end of 2022.

What is the purpose of NIST 800-171?

NIST 800-171 defines CUI as any private, sensitive data not classified per U.S. federal law. Generally, CUI does not contain things like nuclear launch codes or a list of CIA operatives in foreign countries. CUI includes information such as schematics for weapons systems, information about parts for products manufactured for the federal government, personal financial account details, or health records covered by the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, to name a few. There are 125 CUI categories divided in 20 Index Groupings.

NIST 800-171 establishes specific areas of cybersecurity controls contractors and partners must implement based on the department of agency. If you, your company, or any company you do business with has a federal contract, you must be compliant with the controls specified by those departments or agencies. Some federal agencies may include additional specific control requirements in contracts, commonly referred to as CUI Specified. Even if they do not, doing business with a federal agency and potentially handling CUI means you must comply with controls in NIST 800-171 in some capacity.

Who needs NIST 800-171?

NIST 800-171 determines how federal government contractors and subcontractors handle personal data, intellectual property, equipment specifications, logistical plans, and other confidential federal government-related information.

Some Department of Defense (DoD contracts require compliance of all 110 controls of NIST SP 800-171 via DFARS clause 252.204-7012, and eventually a 3rd party verification those controls are being met on contract with CUI via DFARS 252.204-7021 This is known more commonly as the CMMC program.

Other agencies and organizations typically required to be compliant with controls from NIST 800-171:

• Contractors for the Department of Energy (DoE)
• Contractors for the Department of Homeland Security (DHS)
• Contractors for the General Services Administration (GSA)
• Contractors for the National Aeronautics and Space Administration (NASA)
• Universities and research institutions supported by federal grants
• Consulting companies with federal contracts
• Service providers for federal agencies
• Manufacturing companies supplying goods to federal agencies

The standards and controls can also be used voluntarily by commercial companies with no ties to the government, as they represent best practices for cybersecurity.

How to become NIST 800-171 compliant

To become compliant with controls from NIST 800-171, a business may need to invest in new software products, re-configure existing information systems, improve physical security controls, and develop new internal processes.

The path to becoming compliant varies for each organization but generally follows these steps:

1. Locate and Identify CUI
2. Categorize CUI
3. Conduct gap analysis against required controls
4. Create a roadmap including tools and policies needed to close gaps
5. Implement Required Controls 
6. Train Your Employees 
7. Monitor Your Data 
8. Assess Your Systems and Processes

Contractors who need access to CUI must implement and verify compliance and create security protocols that will be selected from 14 key areas:

1. Access Control: Who is authorized to access this data, and what permissions (read-only, read and write, etc.) do they have?
2. Awareness and Training: Are users properly trained in properly securing this data and the information systems on which it resides?
3. Audit and Accountability: Are accurate records of system and data access and activity kept and monitored? Can violators be identified?
4. Configuration Management: How are your systems standardized? How are changes monitored, approved, and documented?
5. Identification and Authentication: How are users identified before obtaining access to this information?
6. Incident Response: What protocols are in place for suspected or identified security events, threats, or breaches?
7. Maintenance: How is this information secured and protected against unauthorized access during maintenance activities?
8. Media Protection: How are electronic and hard copy records and backups stored securely?
9. Physical Protection: How is unauthorized physical access to systems, equipment, and storage prevented?
10. Personnel Security: How are individuals screened before granting them access to CUI?
11. Risk Assessment: How are business risks and system vulnerabilities associated with handling this information identified, tracked, and mitigated?
12. Security Assessment: How effective are current security standards and processes? What improvements are needed?
13. System and Communications Protection: How is this information protected and controlled at key internal and external transmission points?
14. System and Information Integrity: How is this information protected against software flaws, malware, unauthorized access, and other threats?

Benefits of Becoming NIST 800-171 Compliant

Without adherence to controls from NIST 800-171 the federal government’s operations could be severely interrupted and our National Security could be at stake should CUI fall into the wrong hands. One needs to look no further than the similarities between the Chinese J-20 fighter jet and the American F-35. If a federal employee’s CUI is compromised and subject to a ransomware attack, their department’s capabilities could be severely affected.

Compliance further ensures a strong cybersecurity posture, provides a common framework to operate under, and improves your overall risk management profile. You’ll also have a scalable security approach and data access policy best practices.

Consequences of NIST 800-171 Non-Compliance

Penalties for non-compliance depend upon the circumstances. In the event of a data breach where CUI is potentially affected, you will likely be audited by federal officials to determine what went wrong.

In addition to costs associated with breaches and audits, if found non-compliant with the required controls of NIST 800-171, the government may take one or more of the following steps:

1. Pursuing damages for breach of contract
2. Damages pursuit under the False Claims Act
3. Contract termination due to default of terms
4. Suspension or debarment from contractor status
5. Financial fines and penalties from the federal government

Why should you hire a NIST 800-171 compliance consultant? 

Consider the following questions for your organization:

• What potential cybersecurity vulnerabilities exist?
• How can these gaps be closed?
• What training do managers, employees, and clients still need?
• How can your organization continue to be compliant?

Without in-house cybersecurity expertise and staff, you may not have the resources you need to ensure the safety of your organization’s work with CUI. DTS is an experienced partner providing a tailored approach to NIST compliance. Our services range from a free consultation and estimate to get you started to implementation, training, and ongoing maintenance to drive a culture of security. Visit DTS: Contact Page to get started.