Information Security

NIST 800-171 - A Quick Brief

Lately I have received a number of questions and concerns around NIST 800-171 so I wanted to write a quick brief on what you need to know.

  • What is NIST 800-171?
    • This is a special publication released by the National Institute of Standards and Technology (NIST) aimed at “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.
  • Why does this this framework exist?
    • We all know the federal government has experienced a significant number of data breaches over the past 3 years. This framework is designed to provide guidance to anyone that has Controlled Unclassified Information (CUI) so data can be better protected and reduce or eliminate security incidents from occurring. NIST specifically claims:
      • “ (NIST 800-171) publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in non-federal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.”
    • Why do you need to follow NIST 800-171?
      • Ask yourself: “Do you do work with the government today? If so, what is the value of that work?”
      • If you are a federal contractor and have access to CUI you MUST follow this framework. In fact, agencies have been prescribing this in contracts and RFP’s for the past several months. You should review how many outstanding contracts and/or bids require you to meet the requirements of NIST 800-171.
    • How do you determine what is CUI?
    • What do you need to do to comply with NIST 800-171?
      • First you will need to read the standard in its entirety and make sure you understand your responsibilities to protect the confidentiality of the data or consult with someone that can help you help you become NIST 800-171 compliant.
      • Compliance with NIST 800-171 is not for the faint hearted. This framework maps back to several different frameworks and you will need to implement controls based on your individual risks.
      • There are 14 specific security objectives you will need to comply with each with a variety of unique controls:
        1. Access Controls
        2. Awareness and Training
        3. Audit and Accountability
        4. Configuration Management
        5. Identification and Authentication
        6. Incident Response
        7. Maintenance
        8. Media Protection
        9. Physical Protection
        10. Personnel Security
        11. Risk Assessment
        12. Security Assessment
        13. System and Communications Protection
        14. System and Information Integrity
      • Security objective will have different requirements and each requirement can be satisfied through a variety of different solutions.
      • Why are you just hearing of this now?
        • In 2015 the safeguarding requirements were expanded to include covered defense information (CDI). Federal contractors at the time provided opposition to the timeline to comply and in December 30, 2015 DoD provided an interim rule granted additional time for contractors to implement NIST 800-171.
      • When do you need to comply?
        • You now have until December 31, 2017 to comply with NIST 800-171. It is highly recommended that you pursue an adviser that has worked with the standard before and can advise you properly to save you time and money with trying to comply.
You must sign in to rate content.
(Unrated)

Comments

RE: NIST 800-171 - A Quick Brief

Enzo481 at 4/5/2017 6:37 PM
You must sign in to rate content.
(Unrated)

RE: NIST 800-171 - A Quick Brief

Enzo481 at 4/5/2017 6:37 PM
You must sign in to rate content.
(Unrated)

RE: NIST 800-171 - A Quick Brief

Enzo481 at 4/5/2017 6:37 PM
You must sign in to rate content.
(Unrated)

Leave a Comment

You must be logged in to post a comment.