NIST 800-171 Compliance
Does your organization have contracts with the United States Department of Defense (DoD) or are you a subcontractor to a prime contractor with DoD contracts?
If so…are you prepared for NIST 800-171 requirements?
NIST 800-171 is the guideline for protecting Controlled Unclassified Information (CUI) outside of a federal agency or system. NIST 800-171 compliance is mandatory for organizations that hold controlled unclassified information within an internal system or a system in which they maintain control or oversight. This includes email, file sharing, etc. and, includes the storage, access, transfer, or governance of information that, while not classified, must be controlled due to its sensitivity.
Contractors that work with the DoD and have access to and will handle CUI on their information systems are required to become NIST 800-171 compliant.
NIST 800-171 Compliance Requirements
NIST 800-171 basic security requirements are obtained from FIPS Publication 200 which includes 110 controls across 14 families. The derived security requirements, which supplement the basic security requirements, are from the security controls in NIST 800-53. The combination of these controls and the mappings in NIST 800-171 are provided to show what is required for nonfederal systems to better manage the security of CUI while not providing overly rigorous requirements that are required for federal systems.
Ultimately, the intent of the control families in NIST 800-171 is to provide the level of security needed to control information for nonfederal systems while removing controls that are necessary for Federal systems but not needed outside of the government.
The 14 security families in the NIST 800-171:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Becoming NIST 800-171 Compliant
NIST 800-171 compliance requires an understanding of what information is considered to be CUI and identification of the systems and what parties have access to this data. An organization ultimately needs to understand the NIST 800-171 requirements that include 110 controls across 14 categories.
Our qualified NIST Consultants can show you how to successfully prepare for, and achieve compliance with the NIST Standards, and strategically support your information security goals and objectives.
As practitioners and NIST subject matter experts, our team brings a unique capability of technical understanding, implementation and application practice; and operational management that provides our partners with exceptional support for their mission and Federal customer mandates.
Our team can assist with your assessment and remediation by mapping your existing policies and controls to evaluate compliance with NIST 800-171 requirements. Our services typically include:
- A NIST 800-171 compliance gap analysis detailing weaknesses and remediation requirements
- A Plan of Actions and Milestones (POA&M) detailing tasks and milestones for compliance
- A System Security Plan (SSP) demonstrating how your organization meets the requirements
- An audit to validate compliance and identify any deficiencies
The Cyber Risk Management Plan - An Ongoing Process
Cybersecurity Risk Management is an ongoing process, something the NIST Framework recognizes in calling itself “a living document” that is intended to be revised and updated as needed. Once an enterprise conducts its original risk assessment and advances from the current to the desired risk posture, regular, periodic assessments should be conducted to look for new vulnerabilities and threats and how to address them to maintain the enterprise’s risk posture at the desired level.
Interactive Security can work with you to properly implement a Cyber Risk Management Plan. Typical documentation:
- Cyber Risk Management Plan Table of Contents
- Corporate All-Hazards Risk Management Plan (RMP)
- Event/Incident Communications Plan (EICP)
- Event/Incident Response Plan (EIRP)
- Information Systems Contingency and CONOPS Plan (ISCP)
- Information Systems Policies and Procedures (ISPP)
- Security Audit Plan (SAP)
- System Security Plan (SSP)
- Security Assessment Report (SAR) only required in some instances
- Plan of Action & Milestones (POAM)
- DIBNet Incident Reporting Form
- US-CERT Incident Response Form
- CJCSM 6510.01B Incident Response Form
- Private Sector Incident Response Form