Download this guide to learn everything you need to know about 
Federal Department of Defense (DoD) prime contractors have been working with NIST 800-53 controls since that publication first existed. The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirements for NIST 800-53 compliance is included in their federal contracts).
As of December 31, 2017, companies that provide parts and equipment for suppliers serving federal and local governments must be compliant with the NIST 800-171 mandate. For many companies, this is the first time they have had to deal with compliance.
When NIST SP 800-171 first came out in June 2015, the original deadline for compliance was delayed, so many people thought the December 31, 2017 deadline might be delayed too. That has not happened.
Now that the December 31, 2017 deadline has come and gone, it is clear NIST SP 800-171 is here to stay so many companies are suddenly scrambling to become compliant or at least to have a plan in place to do so.
Unlike previous security mandates, this is the first one to impact subcontractors, in addition to prime contractors. Companies further down the federal supply chain now have new compliance requirements to which they need to adhere if they want to continue to do work for primes. These NIST standards must be met by anyone who processes, stores, or transmits potentially sensitive information (CUI) for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal or state agencies. This includes contractual agency relationships.
Entities that deal with government controlled unclassified information must comply. If you are in the federal supply chain, there is a high probability that you need to be compliant with the NIST 800-171 mandate. Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors, or that sub for prime contractors, for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.
NIST 800-171 is not confined to prime contractors. (Learn more in "3 Myths About NIST 800-171 and NIST Compliance.") The NIST compliance standards outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, or NASA and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.
NIST not only applies to manufacturers directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?
Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171 and they are unsure how to proceed.
You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).
The good news for manufacturers who embark on the effort to meet the NIST 800-171 mandate is that it provides a competitive advantage over manufacturers that have not. Also, a side benefit of becoming compliant with NIST 800-171 is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet the NIST 800-171 mandate, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.
Within each of these 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)
The requirements for NIST 800-171 can be summarized into four main groups.
- Controls – Data management controls and processes
- Monitoring & management – Real time monitoring/management of defined IT systems
- End user practices – Documented, well defined end user practices and procedures
- Security measures – Implementation of defined security measures
If you have a firewall solution in place, you may already have a lot of these areas covered.
Controls Requirement
Chances are good that you already have some mechanisms in place for ‘control,’ but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:
- Assess and develop appropriate security controls
- Develop formal policies and procedures
- Create and maintain audit records regarding access to CUI
- Securely transmit data including encryption
- Encrypt data at rest
Monitoring & Management Requirement
To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:
- Monitor and manage user access to information systems
- Authenticate users and utilize multi-factor authentication
- Establish an operational incident management process
- Patch critical systems and scan for vulnerabilities
- Deploy antivirus/malware solutions and monitor activity
- Monitor network traffic for malicious activity
A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.
End User Practices Requirement
To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:
- Provide training and awareness to end users and system administrators on proper procedures for handling CUI
- Have management define and execute minimum password complexity compliance
There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.
Security Measures Requirement
To meet the NIST 800-171 mandate, the security measures requirement dictates that you:
- Assess and develop appropriate security controls
- Securely back up CUI
- Create and enforce policies to prevent unauthorized software
- Identify, track, and restrict access to network/application ports (firewall/systems)
A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.
NIST 800-171 Overview
At this point, you might feel as if your head is spinning. But the key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures.
Becoming NIST compliant is not a one-time thing, it’s an ongoing process where you continuously:
- Assess – Evaluate the current situation
- Design – Create the necessary changes in the system
- Deploy – Implement those changes
- Manage – Continue to manage the system to maintain compliance
Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.
To determine your compliance status, commission an assessment by an outside third party, such as Corserva. (See "Leveraging NIST Assessments to Become NIST Compliant.") You may already be working with service providers that have expertise in this area. It is important that you find a vendor with the specific computer security skills required for NIST assessments; not every managed services provider is qualified for this type of NIST security work.
You should seek out a vendor with experience in this area of compliance and assessment as well as comprehensive experience in project management. A major benefit to using an outside third party is the level of expertise you will gain. By using an outside third party, you gain advanced expertise in specific areas instead of one person with a high level view, such as when using an inside resource.
Phases of the Assessment
The assessment should consist of three phases:
- Business process review
- Technical assessment of systems and networks
- Data analysis
In our experience at Corserva, each phase takes 20-30 days with most engagements (depending on the size of the organization and the technology utilized). The end deliverable at the completion of these phases will be your compliance baseline. There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think.
Many companies already have some of the technology in place required for NIST compliance, which can make the assessment less lengthy. In those cases, the assessment will focus on what process changes are needed to meet NIST compliance.
Questions You Will Be Asked
During the assessment process, the NIST partner will review your information systems environment as it relates to specific CUI use cases. You will be asked about different access scenarios. The partner will review your policies and procedures regarding IT systems – formal, informal, written, and not. If you have been working with an outside IT service provider, the NIST partner may also meet with them and will review their documentation.
The NIST vendor will go through the 110 requirements across the 14 families as defined in NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. For each requirement, the vendor will assess your company as fully compliant, partially compliant, or not compliant and include supporting documentation as well as recommendations of what changes to make to become compliant.
After the Assessment
From this assessment, you will have a specific roadmap to follow on the path to achieve compliance. This may involve process changes as well as new hardware or software. (Learn more in "Leveraging Microsoft Office 365 to Comply with NIST 800-171.")
Any changes that are required based on the assessment can also be performed by the outside vendor that performed the assessment, your own internal staff, or an IT service provider you were already using to manage IT.
After the assessment, you should plan for ongoing validation on a regular basis to ensure you stay in compliance with NIST 800-171.
Costs to comply with NIST will vary based on the size of the organization, what technology you are already using, and how much CUI you have.
In general, assessments by an outside party for very small organizations can start in the $5,000 – $7,500 range. Costs will scale up based on number of employees, number of physical locations, and number of systems that must be assessed. When using an outside vendor, implementation of any changes needed to become compliant based on findings in the assessment will be priced separately.
The two main areas that will impact costs are processes and technology. A security savvy organization may have already adopted processes that keep data secure. Those processes will need to be assessed. Based on any holes found, changes will be warranted. In this example, processes may only need to be adjusted slightly. Other organizations may need to adopt completely new processes.
Companies using modern workstations and the latest software will generally have less work to do than others with a low level of technology. Some organizations may need to make technology improvements such as upgrading to a next generation firewall, or configuring an existing firewall differently.
From the outside assessment, you should produce a Plan of Action with Milestones (POA&M) and a System Security Plan (SSP) that describes how any unimplemented security requirements will be met and how any planned improvements will be implemented. These plans should include detailed milestones to measure your progress.
From NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:
Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.
Not only must you create these plans, you must implement these plans. Ideally, your plans will include implementation steps with scheduled dates of completion.
NIST is a non-regulatory agency of the US Department of Commerce. It's not as if auditors will storm your premises to see if you are in compliance. But your contracts will be at risk.
There are ramifications for not being compliant. If an auditor becomes aware that you have not achieved compliance, you can risk losing your existing contracts. If you are a prime contractor, your federal officer could ask you about your plan for compliance with the NIST 800-171 mandate (if they haven't already). If you are a subcontractor, you could be asked by your prime or sub at any time.
If you don’t become compliant with the NIST 800-171 mandate or have a plan in place to do so, you will be ineligible for any potential future contracts.
If a government contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.
To become compliant with the NIST 800-171 mandate, there are several questions you should start thinking about.
About Your Business
Industry and people
- Is there an InfoSec policy in place?
- What physical security do you have?
- Have you done any type of cybersecurity assessments in the past?
- How many employees do you have?
- How many workstations (if not all employees have computers)?
- Is everyone in one location or do you have multiple locations?
About Your Assets
Workstations and networks
- What type of physical equipment do you have within your network?
- How many end user workstations?
- How many servers?
- What operating systems are you running?
- Is there any type of encryption in place?
- What are you using for email?
- Which applications are you using, both on-premise and cloud-based?
- Do you have any firewalls?
- How is your network connected to the internet?
- Do you have a DMZ (demilitarized zone)?
- How many printers do you have and how are they accessed?
- What are you doing for backup?
About Your Data
The format of data and how it is accessed
- How does CUI enter your organization and in what format?
- How many of your users have access to CUI?
- In which systems and applications is the CUI stored?
- How is CUI accessed by staff?
- How is CUI shared amongst staff?
- Is CUI accessed by remote staff?
- Is CUI transmitted to other entities, and if so, how?
