What is NIST 800-171?

The NIST 800-171 document is a companion to NIST 800-53 and dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI).

What’s the purpose of NIST 800-171?

One primary goal of NIST 800-171 was to standardize how federal agencies define CUI. This was accomplished by categorizing CUI as any data that is private and sensitive but not classified per U.S. federal law. The NIST SP 800-171 framework establishes specific areas of cybersecurity controls that contractors and partners need to implement to a minimum standard. If you, your company, or any other company you do business with has a federal contract then you’re required to be NIST SP 800-171 compliant.

Who must comply with NIST SP 800-171 requirements?

NIST SP 800-171 compliance is required for non-federal organizations that process, store or transmit CUI.

Examples may include:

• Defense contractors
• Organizations whose contracts with federal agencies entail the creation, handling or storage of CUI
• Healthcare institutions collaborating with the U.S. government, particularly those serving veterans through the VA
• Universities and research establishments funded by federal agencies that use CUI
• Aerospace and aviation companies that contract with NASA or other government bodies
• Manufacturers of products for federal government use, such as military equipment
• IT service providers handling government IT systems or offering cloud services to federal agencies
• Financial institutions managing financial data for government agencies or delivering financial services to the government
• Law firms working on government cases or sensitive legal matters
• Organizations that are part of a government contractor’s supply chain and have access to CUI

### How do organizations prove compliance? While the original NIST SP 800-171 allowed organizations to self-attest to their level of compliance, as of Rev 2, they must undergo evaluations by certified assessors to determine their level of compliance, based on the Cybersecurity Maturity Model Certification (CMMC).

### Controls The NIST 800-171 documentation also supplies a list of the following controls, along with the corresponding compliance requirements:

1. Access controls: Who has access to data and whether or not they’re authorized.
2. Awareness and training: Your staff should be adequately trained on CUI handling.
3. Audit and accountability: Know who’s accessing CUI and who’s responsible for what.
4. Configuration management: Follow guidelines to maintain secure configurations.
5. Identification and authentication: Manage and audit all instances of CUI access.
6. Incident response: Data breach preparedness and response plan protecting CUI.
7. Maintenance: Ensure ongoing security and change management to safeguard CUI.
8. Media protection: Secure handling of backups, external drives, and backup equipment.
9. Physical protection: Authorized personnel only in physical spaces where CUI lives.
10. Personnel security: Train your staff to identify and prevent insider threats.
11. Risk assessment: Conduct pen testing and formulate a CUI risk profile.
12. Security assessment: Verify that your security procedures are in place and working.
13. System and communications protection: Secure your comms channels and systems.
14. System and information integrity: Address new vulnerabilities and system downtime.

### The importance and benefits of complying with NIST 800-171 it’s important to comply with NIST 800-171 because it’s a legal requirement to do business with the federal government. Penalties for non-compliance can be quite harsh depending upon the circumstances. If you experience a data breach or hack where CUI is potentially affected, then you’ll likely be investigated and audited by federal officials to determine what went wrong. Aside from the obvious cost associated with both breaches and audits, if you’re found to be non-compliant with NIST 800-171, the government may take one or more of the following steps:

• Pursuing damages for breach of contract
• Damages pursuit under the False Claims Act
• Contract termination due to default of terms
• Suspension or debarment from contractor status
• Financial fines and penalties from the federal government

### NIST 800-171 compliance checklist

• Identify scope: Take a look at NIST 800-171 and determine the scope of your compliance efforts. Compliance may take a mix of things like additional training, stronger physical access controls, and a media protection process. Also, make any necessary changes to system boundaries to avoid your entire organization being roped into the compliance scope.

• Gather documentation : You won’t be able to pass a NIST 800-171 compliance audit unless you have documentation that all controls and requirements are met. Typically, you’ll need to gather documentation in the following areas prior to an audit: system and network architecture, system boundaries, data flow, personnel, process and procedures, and anticipated changes.

• Gap analysis and review: You’ll also need to see where the gaps are between your current state and being fully NIST 800-171 compliant. Focus on the primary access control requirements and work your way down. Document any design flaws or control gaps so you can make the necessary changes. An experienced NIST partner can help you create the most comprehensive gap analysis possible and system review.

• Develop plans: Once your gap analysis is complete, you can then begin planning on a variety of fronts. First, you’ll want to formulate and document a NIST-compliant overall security plan. Also, create a remediation plan in case CUI is compromised, your response is in alignment with NIST, thereby avoiding penalties. Finally, you’ll want a Plan of Action and Milestones (POAandM) to ensure the entire project stays on track.

• Audit trail evidence: Now you can begin gathering the right documentation and evidence that will be most pertinent to your NIST audit. Identify the audit requirements you’ll be addressing based upon the 14 NIST 800-171 criteria as listed above. And as you make changes towards compliance, you’ll want to produce audit-trail evidence showing what you’ve done and to ensure accountability.