IT security has become a necessity in all tech-related industries — not only in the private sector but for companies that work with the federal government, as well. That’s why it’s essential to be aware of the security frameworks (like NIST SP 800-171) government entities require their contractors and subcontractors to adhere to and the security controls that must be implemented to maintain compliance.
Becoming NIST compliant means meeting a long list of requirements that fall into 14 control families. These controls cover a wide range of business practices, ranging from employee awareness and training, to access controls, to system integrity. Following the NIST SP 800-171 controls ultimately means a solid security posture for the entire organization.
What is NIST SP 800-171?
NIST SP 800-171 is a more recent compliance framework, active as of 2017, following an Obama-era mandate that federal agencies must create more robust protection for sensitive information. Biden’s executive order continues to strengthen these requirements.
The NIST SP 800-171 document is a special publication — thus the SP in its name — that was created by The National Institute of Standards and Technology (NIST), a federal organization that manages how third parties deal with government data. It provides a framework to protect what’s termed as “controlled, unclassified information,” or CUI, for organizations that partner or contract with federal institutions. One of the basic purposes of NIST SP 800-171 is to create a widely-accepted standard around the definition and handling of CUI.
CUI can include a range of data: personal information, health records, emails, designs, intellectual property, specifications for equipment, proprietary information, and more. It doesn’t quite hit the sensitivity level of nuclear codes or presidential correspondence, but rather information that would be damaging to an individual or organization if it were part of a security breach and would be otherwise protected under similar security frameworks, like HIPAA.
Who needs to follow NIST SP 800-171?
Despite the fact that NIST SP 800-171 refers to the handling of federal information, it actually applies to non-federal entities. Specifically, it applies to organizations that process or store any unclassified, sensitive data on behalf of a government institution. The NIST SP 800-171 requirement would appear as a contractual obligation for any partnering organization. A few types of organizations that need to follow NIST SP 800-171 are contractors, service providers, or consulting companies for agencies like:
- The Department of Defense (DoD)
- The National Aeronautics and Space Administration (NASA)
- The General Services Administration (GSA)
Even universities or other organizations involved in research that receive federal funding need to be NIST SP 800-171 compliant. This is not an exhaustive list, but rather common examples of the businesses that currently need NIST SP 800-171 compliance. If you handle any confidential or sensitive information when working with the Department of Defense, it is likely the NIST SP 800-171 requirements apply to you. In some cases, even sub-contractors or vendors who are part of a supply chain, but don’t directly handle CUI, may also be required to show compliance.
How Do You Implement NIST SP 800-171 controls?
Because there is no official audit or certification organization for NIST SP 800-171, contracting businesses and service providers must conduct a self-assessment and a self-attestation in order to prove compliance. Using a compliance software platform like Strike Graph makes it much easier to track NIST SP 800-171 controls and evidence and ensure ongoing compliance.
There are 110 requirements, all of which fall into the following NIST SP 800-171 control areas:
- Access controls
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Physical protection
- Personnel security
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
These controls cover a broad swath of security practices. Some are directly related to an IT environment, like the storing and processing of CUI, while others have to do with documenting policies, procedures, and maintenance. The goal is a comprehensive organizational strategy for protecting CUI.
Let’s look at each of the NIST SP 800-171 control areas in a little more detail.
This control grouping is all about who is able to access systems, data, and networks. There are 22 requirements related to this category, all aimed at protecting and providing guidance around the flow of CUI.
Awareness and training
Three of the requirements are related to making sure that employees handling CUI, including both system administrators and users, receive effective training on the potential risks and related procedures. These requirements ensure that employees feel confident in performing their security-related tasks.
Audit and accountability
The nine requirements that fall into this control group deal with the way that audit records are managed and stored. The goal is to review and analyze records to consistently build best practices and mitigate future risks.
The nine requirements in this control family ensure that all the organization’s hardware and software are properly configured with correct security features. It also aims to prevent malicious software installation.
Identification and authentication
These 11 requirements guarantee that only users who are authenticated are able to access the network. This involves password requirements, authentication procedures, and differentiation between privileged and non-privileged users.
These three requirements ensure that the organization has appropriate procedures in place to deal with cybersecurity incidents effectively. The plans must cover a range of possible incidents, and employees must receive effective training. Regular testing should also take place.
There are six requirements that relate to system and network maintenance. These include that systems should be continuously monitored and upgraded in order to protect CUI.
These nine requirements deal with the storage and handling of sensitive media in both physical and digital form. This includes backups, equipment, and external drives.
Six of the requirements are related to physical access to CUI. They ensure that only authorized personnel are allowed into physical spaces where CUI is stored. This also includes appropriate controls for visitor access.
Two requirements relate to employee security. One ensures that anyone who will have access to CUI is screened ahead of time, and the other puts measures in place to safeguard CUI when employees are either transferred or terminated.
Two requirements ensure that organizations run regular risk assessments and work continuously to shore up vulnerabilities that these assessments uncover.
The four requirements in this family relate to monitoring security procedures by monitoring and strengthening system controls. This helps to reveal any weaknesses and ensures continuous improvement.
System and communications protection
There are 16 requirements that enforce the security of all data transmission. These controls help to prevent unauthorized transfers and also relate to cryptography policies within the system.
System and information integrity
The final seven requirements relate to the safeguarding of all the organization’s information systems. This includes the use of system alerts and establishing processes for identifying any unauthorized access or use.
Best practices when implementing NIST SP 800-171 controls
As you begin implementing NIST SP 800-171 controls, it will help to keep these best practices in mind:
Identify CUI and Categorize Data
Running a comprehensive audit of all of the organization’s information to determine what CUI exists and who handles that information is a key first step. Once you have gathered all known CUI, organize this information into the NIST-approved categories (listed above). Each type of CUI has its own requirements for NIST SP 800-171 compliance.
Complete a security assessment
Run a complete security assessment to determine what compliance risks exist to help you acknowledge and establish protection against any vulnerabilities.
Develop and test baseline controls
All 14 families of NIST SP 800-171 controls must be secured. Organizations that are already compliant with other frameworks likely have some of these controls already established, but it’s important to reexamine these in the context of NIST SP 800-171. Then, develop and test any additional controls that are needed to cover all ground.
A crucial part of the compliance process is providing proof of the steps taken to comply with the requirements of NIST SP 800-171. Be sure to document all security plans and continuously update when plans change. In the unfortunate event that a breach takes place, having this documentation up to date can also prove that the organization was not at fault.
Create response plans
Regardless of how well-prepared an organization may be, breaches are always possible. Be sure there is a plan in place for response to a possible breach — employees should be well-informed about what steps to take to address it.
Ensure ongoing training
Employees are the people who are regularly handling CUI. Delivering consistent, effective training will help them recognize any security lapses and will ensure company-wide buy-in to strong security practices.
Benefits of NIST SP 800-171 compliance
At its core, NIST SP 800-171 allows the government and its agencies to do important work while ensuring that their information is protected – even by those who aren't directly connected to the federal government.
In addition to the practical benefits of NIST SP 800-171, there are also potential penalties — including fines —that the government can levy if a partnering organization is not compliant. They can also sue for damages for breach of contract, and of course, your company’s contract can be ended with the potential to lose your contractor status. And, because government information is at stake, there is even the possibility of criminal charges, depending on the severity of the situation.