Are you planning to be a defense contractor who will be dealing with controlled unclassified information (CUI)? You must be NIST 800-171 compliant. NIST 800-171 is the short form for the National Institute of Standards, 800-171 standard.
It is a federal government framework that ensures agencies have stringent measures to safeguard CUI. The framework offers 110 controls split up among 14 families. Every contractor who wants to achieve NIST 800-171 compliance must prove that they abide by all the 110 controls.
These standards are to be met by organizations like prime contractors who work for the Department of Defense, which includes their sun contractors.
Also, all the universities and research institutes that receive federal grants from time to time. The big question in this case is how do you achieve the NIST 800-171?
How to Achieve NIST 800-171 Compliance?
In this article, we delve into understanding this framework and navigating through the steps towards compliance.
Let’s delve in.
Familiarize Yourself With the Basics
The first and most crucial step towards compliance is understanding the basics of NIST 800-171. As mentioned above, the publication aims to safeguard unclassified information handled in nonfederal systems or organizations.
That is the data that the government of the United States considers in need of protection. Compliance with this publication can be stipulated in agreements and contracts.
Identify Controlled Unclassified Information
Since NIST 800-171 is a framework that protects CUI, you need to determine the type of sensitive information your institution deals with. It constitutes any information that can harm an individual’s privacy or national security if disclosed. Examples of this data include:
- Proprietary business data
- Financial information
- Personally identifiable information
- Health records
You may get this information by reviewing your contracts and agreements. Most explicitly specify the kind of CUI you handle in your organization. You may also identify CUI through working closely with the legal or compliance teams in the organization.
Conduct Risk Assessment
You need to carry out a thorough risk assessment exercise. Risk assessment is a very important step as it allows you to identify any vulnerabilities in your organization. You also get to detect potential threats to the controlled, unclassified information you are handling. Risk assessment also helps you implement relevant security controls to beef up security controls for access to sensitive data.
To conduct the assessment, you need to define the scope in terms of identifying the systems, assets, and processes handling CUI. Also, specify boundaries to the assessment process. The next step should be listing the assets that process, store, and transmit the information. These are assets like databases, servers, and file repositories.
Figure out all the threats and vulnerabilities that could potentially tamper with the confidentiality, availability, and integrity of the CUI. Examples of threats include data breaches, cyberattacks, physical security issues, and insider threats.
Map Controls to NIST 800-171 Requirements
To achieve compliance, you need to ensure certain controls in your organization’s processes and systems align with the requirements in the NIST publication.
Here, you will document the procedures, policies, and security measures you are operating within your organization. After that, match the current security controls with corresponding requirements. Identify the gaps and prioritize addressing them.
Ensure your staff have the necessary training on mapped controls so that they can understand the roles they play alongside their responsibility regarding the implementation and maintenance of those controls.
Implement Security Controls
You need to prioritize the implementation of the security controls put in place by the NIST 800-171 framework to protect the CUI.
To be effective in this process, you need to have a review of the 14 families created in NIST 800-171 to streamline security controls. Identify those that apply to your organization and prioritize them according to the level of risk your organization may face.
You can then create procedures and policies that are all-inclusive for every control. Have documents that clearly outline how every control can be implemented, maintained, or audited. Most importantly, have all the procedures and policies tailor-made to suit your organizational needs.
Ensure that all the teams or individuals in your organization know their roles in the protection of CUI. Assign them roles involving monitoring, implementation, and reporting. Depending on the controls you have selected, there may be roles that require technical implementations. For example, setting up access controls and configuration of firewalls.
Also, create robust access controls that will keep unauthorized individuals away from accessing the controlled unclassified information.
Here, you implement authentication procedures, authorization, and access monitoring. You will also need to apply data encryption to the CUI that works both at rest and during transit.