NIST Compliance

The National Institute of Standards and Technology (NIST) develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a "standard" for best practices.

NIST is one of the nation’s oldest physical science laboratories and it is part of the US Department of Commerce. Congress established NIST in 1901 in an effort to remove a major challenge to US industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. The Information Technology Laboratory (ITL) at NIST promotes the United States economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure.

In the last 30 years, NIST has been a major force behind IT security initiatives. If you do business directly with the government, your contract may include technology requirements for compliance with cybersecurity standards. If you do business indirectly with the government (in service to a prime contractor), you may also be required to meet certain cybersecurity standards.

With cybersecurity a focal point for all major industries, safeguarding federal supply chains is becoming more important than ever.

back to top ↑

NIST Special Publication 800-53 provides a catalog of security controls for all US federal information systems except those related to national security.

NIST SP 800-53 was first published in February 2005 and companies impacted were required to be compliant within one year of that publication date. NIST Special Publication 800-53 provides a catalog of security controls for all US federal information systems except those related to national security. NIST SP 800-53 has had five revisions since its initial publication date, the most recent one was released as the first public draft August 15, 2017; as of January 8, 2018, the final publication date of that revision has been delayed.

NIST 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations. NIST 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.

NIST 800-53 is considered the de facto standard for US government cybersecurity.

back to top ↑

NIST 800-171 is basically a subset of NIST 800-53. Companies who are already compliant with NIST 800-53 are automatically compliant with NIST 800-171.

NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information. NIST 800-171 provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion.

The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53. NIST SP 800-53 covers security controls for US federal information systems except those related to national security. The NIST security requirements and security controls have been determined over time to provide the necessary protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014).

By complying with NIST 800-171, you will also meet the majority of the criteria for NIST 800-53. 

Federal Department of Defense (DoD) prime contractors have been working with NIST 800-53 controls since that publication first existed. The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirements for NIST 800-53 compliance is included in their federal contracts).

As of December 31, 2017, companies that provide parts and equipment for suppliers serving federal and local governments must be compliant with the NIST 800-171 mandate. For many companies, this is the first time they have had to deal with compliance.

When NIST SP 800-171 first came out in June 2015, the original deadline for compliance was delayed, so many people thought the December 31, 2017 deadline might be delayed too. That has not happened.

Now that the December 31, 2017 deadline has come and gone, it is clear NIST SP 800-171 is here to stay so many companies are suddenly scrambling to become compliant or at least to have a plan in place to do so.

Unlike previous security mandates, this is the first one to impact subcontractors, in addition to prime contractors. Companies further down the federal supply chain now have new compliance requirements to which they need to adhere if they want to continue to do work for primes. These NIST standards must be met by anyone who processes, stores, or transmits potentially sensitive information (CUI) for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal or state agencies. This includes contractual agency relationships.

CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems. If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as "Covered Defense Information" — not to be confused with "Controlled Technical Information."

CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information. In performance of a subcontract, if you anticipate operating a “covered contractor information system,” as that term is defined in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, paragraph (a), then ask yourself:

• Will you be in full compliance with the NIST SP 800-171 requirements by December 31, 2017?
• If not, do you intend to rely on the “alternative but equally effective security measures” provided for in DFARS 252.204‑7012(b)(2)(ii)(B)?

NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement in order to achieve compliance in regard to controls around CUI. In working with several Department of Defense contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”

As defined in the National Archives:

Examples of CUI

Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as "printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc."

Let’s say that in the course of fulfillment of a federal contract, you receive email with attached files from the agency with which you are doing business. That information (which is CUI) now resides on your company’s email system (potentially on that workstation’s hard drive) and must be protected. Likewise, if you develop proprietary information for the DoD or for a prime contractor, that information must be protected. If you receive printouts through the mail or by courier service, that information must be protected.

To comply with the NIST 800-171 mandate, companies must undertake a review, or assessment, of their critical systems as they relate to CUI. Typical systems to include are end user workstations and laptops, servers, storage devices, and network devices such as routers, firewalls, switches, wireless access points (WAP), and printers. Physical security may also need to be addressed.

It can become complex very quickly.

Entities that deal with government controlled unclassified information must comply. If you are in the federal supply chain, there is a high probability that you need to be compliant with the NIST 800-171 mandate. Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors, or that sub for prime contractors, for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.

NIST 800-171 is not confined to prime contractors. (Learn more in "3 Myths About NIST 800-171 and NIST Compliance.") The NIST compliance standards outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, or NASA and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.

NIST not only applies to manufacturers directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?

Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171 and they are unsure how to proceed.

You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).

The good news for manufacturers who embark on the effort to meet the NIST 800-171 mandate is that it provides a competitive advantage over manufacturers that have not. Also, a side benefit of becoming compliant with NIST 800-171 is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet the NIST 800-171 mandate, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.

No, although a majority of companies that must comply with the NIST 800-171 mandate are manufacturers.

Meeting government regulations is a challenge in every industry, and manufacturing is no exception. But remember, anyone who deals with CUI must comply. This can include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. Any company doing business with a prime contractor, subcontractor, or another company further down the stream in the federal supply chain is impacted by this mandate.

Some organizations will receive direct notification about their need to comply. Some manufacturers that Corserva has worked with were first notified as far back as May 2016. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 as of December 31, 2017. Notification can come directly via mail or email. Alternately, you might be notified via messages you see when logging into a portal that you use for procurement or order management.

Several of Corserva’s clients do not recall seeing any notification but have taken a proactive step to achieve compliance, knowing it is likely they will be asked about this eventually.

Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171. It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many companies who never received formal notification to comply.

back to top ↑

NIST Special Publication 800-171 is broken out into 14 different families of IT security requirements.

Within each of these 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)

The requirements for NIST 800-171 can be summarized into four main groups.

1. Controls – Data management controls and processes
2. Monitoring & management – Real time monitoring/management of defined IT systems
3. End user practices – Documented, well defined end user practices and procedures
4. Security measures – Implementation of defined security measures

If you have a firewall solution in place, you may already have a lot of these areas covered.

Controls Requirement

Chances are good that you already have some mechanisms in place for ‘control,’ but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:

• Assess and develop appropriate security controls
• Develop formal policies and procedures
• Create and maintain audit records regarding access to CUI
• Securely transmit data including encryption
• Encrypt data at rest

Monitoring & Management Requirement

To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:

• Monitor and manage user access to information systems
• Authenticate users and utilize multi-factor authentication
• Establish an operational incident management process
• Patch critical systems and scan for vulnerabilities
• Deploy antivirus/malware solutions and monitor activity
• Monitor network traffic for malicious activity

A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.

End User Practices Requirement

To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:

• Provide training and awareness to end users and system administrators on proper procedures for handling CUI
• Have management define and execute minimum password complexity compliance

There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.

Security Measures Requirement

To meet the NIST 800-171 mandate, the security measures requirement dictates that you:

• Assess and develop appropriate security controls
• Securely back up CUI
• Create and enforce policies to prevent unauthorized software
• Identify, track, and restrict access to network/application ports (firewall/systems)

A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.

NIST 800-171 Overview

At this point, you might feel as if your head is spinning. But the key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures.

Becoming NIST compliant is not a one-time thing, it’s an ongoing process where you continuously:

1. Assess – Evaluate the current situation
2. Design – Create the necessary changes in the system
3. Deploy – Implement those changes
4. Manage – Continue to manage the system to maintain compliance

Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.

back to top ↑

UPDATE AS OF NOVEMBER 2019:

When the NIST 800-171 mandate first went into effect on December 31, 2017, there were two ways to achieve compliance with the NIST 800-171 mandate.

1. Hire a third-party organization to perform a NIST 800-171 assessment and make recommendations.
2. Perform your own self-assessment and self attestation.

You would then develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal. These documents included a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

However, once the CMMC framework goes into effect, there is no longer an option for self-attestation. The requirement for the SSP and POA&M will remain in effect.

The CMMC framework will require all companies seeking NIST 800-171 compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment. Corserva intends to become an accredited certification organization.

back to top ↑

To determine your compliance status, commission an assessment by an outside third party, such as Corserva. (See "Leveraging NIST Assessments to Become NIST Compliant.") You may already be working with service providers that have expertise in this area. It is important that you find a vendor with the specific computer security skills required for NIST assessments; not every managed services provider is qualified for this type of NIST security work.

You should seek out a vendor with experience in this area of compliance and assessment as well as comprehensive experience in project management. A major benefit to using an outside third party is the level of expertise you will gain. By using an outside third party, you gain advanced expertise in specific areas instead of one person with a high level view, such as when using an inside resource.

Phases of the Assessment

The assessment should consist of three phases:

1. Business process review
2. Technical assessment of systems and networks
3. Data analysis

In our experience at Corserva, each phase takes 20-30 days with most engagements (depending on the size of the organization and the technology utilized). The end deliverable at the completion of these phases will be your compliance baseline. There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think.

Many companies already have some of the technology in place required for NIST compliance, which can make the assessment less lengthy. In those cases, the assessment will focus on what process changes are needed to meet NIST compliance.

Questions You Will Be Asked

During the assessment process, the NIST partner will review your information systems environment as it relates to specific CUI use cases. You will be asked about different access scenarios. The partner will review your policies and procedures regarding IT systems – formal, informal, written, and not. If you have been working with an outside IT service provider, the NIST partner may also meet with them and will review their documentation.

The NIST vendor will go through the 110 requirements across the 14 families as defined in NIST Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. For each requirement, the vendor will assess your company as fully compliant, partially compliant, or not compliant and include supporting documentation as well as recommendations of what changes to make to become compliant.

After the Assessment

From this assessment, you will have a specific roadmap to follow on the path to achieve compliance. This may involve process changes as well as new hardware or software. (Learn more in "Leveraging Microsoft Office 365 to Comply with NIST 800-171.")

Any changes that are required based on the assessment can also be performed by the outside vendor that performed the assessment, your own internal staff, or an IT service provider you were already using to manage IT.

After the assessment, you should plan for ongoing validation on a regular basis to ensure you stay in compliance with NIST 800-171.

Costs to comply with NIST will vary based on the size of the organization, what technology you are already using, and how much CUI you have.

In general, assessments by an outside party for very small organizations can start in the $5,000 – $7,500 range. Costs will scale up based on number of employees, number of physical locations, and number of systems that must be assessed. When using an outside vendor, implementation of any changes needed to become compliant based on findings in the assessment will be priced separately.

The two main areas that will impact costs are processes and technology. A security savvy organization may have already adopted processes that keep data secure. Those processes will need to be assessed. Based on any holes found, changes will be warranted. In this example, processes may only need to be adjusted slightly. Other organizations may need to adopt completely new processes.

Companies using modern workstations and the latest software will generally have less work to do than others with a low level of technology. Some organizations may need to make technology improvements such as upgrading to a next generation firewall, or configuring an existing firewall differently.

back to top ↑

UPDATE AS OF NOVEMBER 2019:

No.

Once the CMMC framework goes into effect, there is no longer an option for self-attestation. The requirement for the SSP and POA&M will remain in effect.

Version 1.0 of the CMMC framework is expected to be available to the public in January 2020 with expectations for compliance in June 2020.

back to top ↑

From the outside assessment, you should produce a Plan of Action with Milestones (POA&M) and a System Security Plan (SSP) that describes how any unimplemented security requirements will be met and how any planned improvements will be implemented. These plans should include detailed milestones to measure your progress. 

From NIST Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:

Nonfederal organizations should describe in a system security plan, how the specified security requirements are met or how organizations plan to meet the requirements. The plan describes the system boundary; the operational environment; how the security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.

Not only must you create these plans, you must implement these plans. Ideally, your plans will include implementation steps with scheduled dates of completion.

Although it is possible that a company can be in compliance with NIST 800-171 without ever going through an assessment and validation, we have never experienced this. For every company we have performed a NIST assessment or validation, we have found areas that need to be corrected to be in compliance.

We have never performed a NIST engagement where we determined that no changes were required to meet NIST 800-171 compliance. In every case, we have found processes and procedures that must be implemented or modified.

NIST is a non-regulatory agency of the US Department of Commerce. It's not as if auditors will storm your premises to see if you are in compliance. But your contracts will be at risk.

There are ramifications for not being compliant. If an auditor becomes aware that you have not achieved compliance, you can risk losing your existing contracts. If you are a prime contractor, your federal officer could ask you about your plan for compliance with the NIST 800-171 mandate (if they haven't already). If you are a subcontractor, you could be asked by your prime or sub at any time.

If you don’t become compliant with the NIST 800-171 mandate or have a plan in place to do so, you will be ineligible for any potential future contracts.

If a government contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.

back to top ↑

Some prime contractors have been very active in notifying their subcontractors of the need to comply with NIST 800-171. Many subcontractors Corserva has dealt with have not been directly notified at all, but they want to be proactive in achieving NIST compliance as they expect to get notified at some point. These manufacturers want to be able to answer affirmatively that they are compliant or have started down the path to achieve compliance when they are inevitably asked about it.

It’s not too late to become NIST compliant and you will benefit from doing so. If your prime or subcontractor has not asked you about NIST compliance yet, consider yourself lucky. When you are asked by your prime, sub, or DoD contracting officer, you want to be able to say that you have a plan for becoming compliant with the NIST 800-171 mandate and you have started down the path.

back to top ↑

After the assessment, you should plan for ongoing validation on a regular basis to ensure you stay in compliance with NIST 800-171.

With whichever method you choose to become compliant with the NIST 800-171 mandate, there are several questions you should start thinking about.

About Your Business

Industry and people

• Is there an InfoSec policy in place?
• What physical security do you have?
• Have you done any type of cybersecurity assessments in the past?
• How many employees do you have?
• How many workstations (if not all employees have computers)?
• Is everyone in one location or do you have multiple locations?

About Your Assets

Workstations and networks

• What type of physical equipment do you have within your network?
• How many end user workstations?
• How many servers?
• What operating systems are you running?
• Is there any type of encryption in place?
• What are you using for email?
• Which applications are you using, both on-premise and cloud-based?
• Do you have any firewalls?
• How is your network connected to the internet?
• Do you have a DMZ (demilitarized zone)?
• How many printers do you have and how are they accessed?
• What are you doing for backup?

About Your Data

The format of data and how it is accessed

• How does CUI enter your organization and in what format?
• How many of your users have access to CUI?
• In which systems and applications is the CUI stored?
• How is CUI accessed by staff?
• How is CUI shared amongst staff?
• Is CUI accessed by remote staff?
• Is CUI transmitted to other entities, and if so, how?