NIST Special Publication 800-171 is broken out into 14 different security families of IT security requirements. (In CMMC, the requirements are called category domains and include 17.)
1. Access Control
Who is authorized to view this data? How do you control access to the CUI that resides in your organization (within your systems and within your operations)?
2. Awareness & Training
Are people properly instructed in how to treat this info? When it comes to CUI, are your employees aware of the security risks?
3. Audit & Accountability
Are records kept of authorized and unauthorized access? Can violators be identified?
4. Configuration Management
How are your networks and safety protocols built and documented?
5. Identification & Authentication
What users are approved to access CUI and how are they verified prior to granting them access?
6. Incident Response
What’s the process if a data breach or security threat occurs, including proper notification? If there is an incident that puts data at risk, the DFARS 252.204-7012 clause stipulates that your partner must be notified.
What timeline exists for routine maintenance, and who is responsible?
8. Media Protection
How are electronic and hard copy records and backups safely stored? Who has access?
9. Personnel Security
How are employees screened prior to granting them access to CUI?
10. Physical Protection
Who has access to systems, equipment, and storage environments? For example, if you have one office with a front door and back door, what kind of security do you have? This could include locks, access control systems, and video monitoring systems. What is the physical environment like within your facility where the data is housed?
11. Risk Assessment
Are defenses tested in simulations? Are operations or individuals verified regularly?
12. Security Assessment
Are processes and procedures still effective? Are improvements needed? Penetration testing and vulnerability assessments performed on an ongoing, regular basis are methods for measuring your security.
13. Systems & Communications Protection
Is information regularly monitored and controlled at key internal and external transmission points?
14. System & Information Integrity
How quickly are possible threats detected, identified, and corrected?
Summary of NIST Requirements
For NIST 800-171, within each of the 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)
The requirements for NIST 800-171 can be summarized into four main groups.
- Controls – Data management controls and processes
- Monitoring & management – Real time monitoring/management of defined IT systems
- End user practices – Documented, well defined end user practices and procedures
- Security measures – Implementation of defined security measures
If you have a firewall solution in place, you may already have a lot of these areas covered.
Chances are good that you already have some mechanisms in place for 'control,' but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:
- Assess and develop appropriate security controls
- Develop formal policies and procedures
- Create and maintain audit records regarding access to CUI
- Securely transmit data including encryption
- Encrypt data at rest
Monitoring & Management Requirement
To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:
- Monitor and manage user access to information systems
- Authenticate users and utilize multi-factor authentication
- Establish an operational incident management process
- Patch critical systems and scan for vulnerabilities
- Deploy antivirus/malware solutions and monitor activity
- Monitor network traffic for malicious activity
A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.
End User Practices Requirement
To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:
- Provide training and awareness to end users and system administrators on proper procedures for handling CUI
- Have management define and execute minimum password complexity compliance
There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.
Security Measures Requirement
To meet the NIST 800-171 mandate, the security measures requirement dictates that you:
- Assess and develop appropriate security controls
- Securely back up CUI
- Create and enforce policies to prevent unauthorized software
- Identify, track, and restrict access to network/application ports (firewall/systems)
A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.
NIST 800-171 Overview
The key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures. Becoming NIST compliant is not a one-time activity, it’s an ongoing process where you continuously:
- Assess – Evaluate the current situation
- Design – Create the necessary changes in the system
- Deploy – Implement those changes
- Manage – Continue to manage the system to maintain compliance
Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.