What is NIST 800-171 and How Do I Become Compliant?
Q: What is NIST 800-171?
Answer: NIST 800-171 is a publication titled, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, which is put forth by the National Institute of Standards and Technology (NIST). NIST 800-171 is encompassed into DFARS, ultimately requiring DoD contractors to adhere to the actual NIST 800-171 framework.
DFARS stands for the Defense Federal Acquisition Regulation Supplement, which is essentially an agent supplement to the Federal Acquisition Regulation (FAR) that is administered by the Department of Defense (DoD). Thus, the DFARS contains requirements of law, DoD directives, delegations of FAR authorities, and other essential policies and procedures that have a significant effect on the public.
While you might be asking yourself, what is NIST 800-171, you can clearly see that this publication is far-reaching and includes strict provisions for the literally thousands of contractors providing material services and solutions to the DoD – and to other federal agencies. As for NIST 800-171, there’s much to know, so here’s what’s important in terms of regulatory compliance for DoD contractors seeking to comply with this specific publication.
Understand the Origins of NIST 800-171
Now more than any time in history, the United States government is relying on tens of thousands of external entities (i.e., federal contractors) for providing essential services in helping carry out a wide range of business functions. Federal contractors are now storing, processing, and/or transmitting large amounts of data – much of it highly sensitive – in helping support mission critical services for federal agencies. Just stop and think of the endless list of services that federal contractors provide to agencies – cloud services, doing investigative background checks, processing financial and healthcare data, and much more.
It’s therefore absolutely critical that sensitive federal information residing in nonfederal information systems be secured at all times with industry leading security and privacy controls. Therefore, the protection of what’s known as Controlled Unclassified Information (CUI) has evolved, a process that began when the President of the United States signed an executive order (13556) calling for standardizations on handling unclassified information, ultimately designating the National Archives and Records Administration (NARA) as the executive agent for implementing the program.
NARA thus maintains a CUI registry, which is essentially an online repository of information and related policies and procedures related to the broader topic of Controlled Unclassified Information. Therefore, the ultimate purpose of NIST SP 800-171 is to provide federal agencies with recommended security requirements for ensuring the confidentiality of CUI when resident in nonfederal systems (i.e., federal contractors).
Begin with a Readiness & Gap Assessment
Diving head-first into NIST 800-171 with little or no understanding of what’s expected, what systems, people, and physical locations are in place, is not recommended. Try starting with a NIST 800-171 readiness & gap assessment performed by highly experienced, capable federal compliance auditors, such as FLANK.
With FLANK, we offer a series of NIST 800-171 scoping & readiness assessment templates; easy-to-use and implement MS Excel spreadsheet that contains all essential information for each of the family of controls you’ll need comply with. By the time you’ve successfully completed the readiness element of your NIST 800-171 engagement, you’ll have a concrete understanding of project scope, a “to do” list of remediation items, achievable milestones for the coming months, and more. That’s a win-win!
Be Aware of Necessary Security Tools and Solutions
As with most of today’s growing regulatory compliance mandates, it seems as if a laundry list of security tools and solutions are required to be in place. That’s especially true when it comes to NIST 800-171, so consider the following tools and solutions as necessary:
Configuration Management Devices: Configuration management is a wide and broad term and encompasses different types of configuration elements to various information systems. More specifically, from a scope perspective, when discussing configuration management, it’s important to include the following:
- Network devices
- Servers, and the underlying operating systems and applications residing on them
- End-user work stations
- Software development
For the above four (4) areas, different processes and procedures – and tools – will be required for meeting the mandates of configuration management in today’s world of information security.
Audit Logging/Audit Trails Tools: Establishing baseline event logging, then capturing all essential information and parsing out the data as necessary is an essential element of meeting logging requirements for NIST 800-171. There are a number of industry leading tools and solutions available, with many of them actually being quite cost-effective.
Two-Factor Authentication (2FA): Privileged users accessing the in-scope CUI/CDI environment – whether they are on the network or are remote – and non-privileged users that are remote, must incorporate two-factor authentication (2FA) at all times. There are numerous tools available for 2FA, so long as they meet two (2) of the following three (3) conditions: (1). Something you know. (2). Something you have. (3) Something you are.
File Integrity Monitoring (FIM): The ability to monitor, detect, analyze, and record any type of modification to any type of file structure within information systems is an essential element of today’s compliance mandates, including NIST 800-171. The market is literally flooded with FIM tools, so you’ll have a healthy choice of option to choose form.
Vulnerability Scanning: Vulnerability scanning – both internal and external scanning – is an essential element of today’s InfoSec best practices. After all, scanning one’s internal and external network for threats and vulnerabilities just makes sense.
Network Based Intrusion Detection System (IDS): Having a tool the “sniffs” your network at the perimeter for detecting anomalies and other suspicious traffic is yet another of today’s InfoSec best practices, and it’s also essential for NIST 800-171 compliance.
Know that Policies and Procedures are Critical
Documentation is absolutely essential when it comes to NIST 800-171 compliance. Specifically, we’re talking about information security policies and procedures, conducting an annual risk assessment, performing security awareness training, and much more. You “could” potentially spend hundreds of hours and thousands of dollars authoring NIST 800-171 policies – but why – all that’s needed are the comprehensive federal defense industry toolkits and templates available for immediate download today at flank.org.
FLANK’s materials are world-class, easy-to-use and implement, and ready for customization. You don’t need to hire expensive consultants or full-time compliance officers for policy creation, just use our documents.
You’ll Need to Author a System Security Plan (SSP)
What’s a System Security Plan (SSP) for purposes of NIST SP 800-171 reporting? It is a document that provides an overview of the security requirements of the system and describe the controls in place or planned, for meeting those requirements. Thus, the SSP should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Input in regards to developing an SSP should come from all participants deemed in-scope, such as information system owners, users, management, third-party providers, and more. FLANK’s DFARS NIST 800-171 Compliance All-in-One Toolkit includes a comprehensive, well-written, and easy-to-use SSP templates developed specifically for DoD contractors. Get it now at flank.org and start saving both time and money on SSP development.
Have Gaps – Then Time for a POAM
The Plan of Action and Milestones – simply known as a POAM – is a corrective plan of action put into place for tracking, planning, implementing, and resolving the information security weaknesses that are often found during a Security Assessment Report (SAR), or any other type of related assessment findings performed by qualified personnel. Note that the DoD themselves – along with upstream reporting contractors – may very well request your SSP and your POAM for further evidence of NIST 800-171 compliance. A new age of cybersecurity threats is upon us. Are you ready to secure your critical information systems and related assets? Then it’s time to become DFARS NIST 800-171 compliant. FLANK can help.
Be Prepared for Annual NIST 800-171 Compliance
The Department of Defense – and primarily, the federal government – have been making a big push in recent years to strengthen security and privacy controls of federal information systems. This also includes information resident in nonfederal information systems – those under the control of federal contractors. This means that not only will contractors be required to become DFARS NIST 800-171 compliant initially, but will also have to stay compliant every year thereafter. Welcome to the new world of federal regulatory compliance. Note that primes and the DoD themselves could very well request a contractor’s SSP and/or POAM for proof of compliance with DFARS NIST 800-171.
The quick and easy for solution for helping maintain DFARS NIST 800-171 compliance without breaking the bank? Hire FLANK as your outsourced regulatory compliance provider. That’s right, we can perform all the essential duties an internal compliance officer would, yet at a fraction of their full-time salary. To learn more, download FLANK’s Regulatory Compliance Outsourcing Services Checklist today and get started today. Simply choose which services you need, email us, and we’ll get right back in touch with a quote. It’s that easy. Companies all throughout North America are saving thousands of dollars, so why shouldn’t you!