National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171)

NIST 800-171 was developed after FISMA (Federal Information Security Management Act) was passed in 2003, resulting in several security standards and guidelines.  It was created in part to improve cybersecurity, especially after numerous well-documented breaches in the last few years, including USPS (U.S. Postal Service) and NOAA (National Oceanic and Atmospheric Administration).  The primary reason, according to the National Institute of Standards and Technology, is “a national imperative” to make sure unclassified information that isn’t part of federal information systems and organizations is properly protected and consistent.  Doing so helps the federal government “successfully carry out its designated missions and business operations.”

For certain government agencies, most notably the DoD (Department of Defense), GSA (General Services Administration) and NASA (National Aeronautics and Space Administration), a revised set of rules for NIST compliances took effect on December 31, 2017, requiring anyone who works with CUI from those agencies to implement specific security measures for how they handle data and report non-compliance to the agencies CIO. Under federal regulations, such as DFARS clause 252.204-7012, every affected company and agency is now required to assess and document their compliance in handling this info in more than a dozen areas, from the way their networks are configured, to the way any and all media is protected, to the way employees receive access to the NIST 800-171 standard.

Prior to these requirements, every agency had a unique set of rules for data handling, safeguarding and disposing of this material. These inconsistent standards posed a challenge – and a potential security concern – when information needed to be shared, especially when multiple contractors become part of the process.

Compliance with NIST 800-171

These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoD, GSA or NASA and other federal or state agencies.  This includes contractual agency relationships.  Achieving NIST 800-171 compliance may require diving deep into your networks and procedures to make sure appropriate security procedures are properly addressed.  Failure to comply could affect any dealings with these agencies, including severances of contracts. If you missed the deadline, you could be at risk of losing contracts or damaging relationships.

The process for becoming compliant with the standards set out in NIST 800-171 may take a significant amount of time to implement (6-8 months), but there are some cybersecurity practices you can put in place right away to protect your business and your data.

Self-Assessment Handbook

The Self-Assessment Handbook is currently under revision.

NIST Handbook 162 “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. This handbook can be used by manufacturers to help comply with DFARS 252.204-7012 and DFARS 252.204-7019 requirements.

In addition, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with CMMC Level 3 requirements.  Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.

The 14 Points of NIST 800-171

Contractors who need access to CUI must implement and verify compliance and create security protocols for 14 key areas. This list is provided from our security partner, Foresite:

1. Access Control: Who is authorized to view this data?
2. Awareness and Training: Are people properly instructed in how to treat this info?
3. Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified?
4. Configuration Management: How are your networks and safety protocols built and documented?
5. Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access?
6. Incident Response: What’s the process if a breach or security threat occurs, including proper notification.
7. Maintenance: What timeline exists for routine maintenance, and who is responsible?
8. Media Protection: How are electronic and hard copy records and backups safely stored? Who has access?
9. Physical Protection: Who has access to systems, equipment and storage environments?
10. Personnel Security: How are employees screened prior to granting them access to CUI?
11. Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?
12. Security Assessment: Are processes and procedures still effective? Are improvements needed?
13. System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points?
14. System and Information Integrity: How quickly are possible threats detected, identified and corrected?

Why did NIST develop SP 800-171?

NARA and NIST objected to DFARS’ use of selected subset of 800-53 controls

• Asserted the full moderate impact baseline required for protection of CUI

There was broader stakeholder concern regarding implementation challenges for non-Federal systems

• SP 800-53 controls originally developed for Federal systems
  • Some controls/elements of controls should not apply outside the US Government (Federal-centric)
  • Some controls are overly granular when applied to an ‘as-built’ contractor system
  • Many baseline controls unnecessary (e.g., Availability controls) for protection of CUI

The solution was to develop a separate NIST SP for protection of CUI in nonfederal organizations.

• Based on FIPS 200 with control language from 800-53 to meet moderate impact level

• Performance-based to be applicable to existing nonfederal systems

• Eliminate Federal-centric requirements

• Focus on providing confidentiality protection for CUI

How can my organization “comply” with NIST SP 800-171?

NIST is a non-regulatory agency under the U.S. Department of Commerce;  NIST does not have a role in determining compliance with the security requirements in NIST SP 800-171. If you have questions regarding requirements to protect controlled unclassified information or other regulatory requirements, please contact your prime contractor and/or federal point of contact for the contract.  

Where can I get assistance on conducting a NIST SP 800-171 Assessment? 

The DOD Supplier Performance Risk System (SPRS) provides access to the NIST SP 800-171 Assessment scoring information. Questions about conducting your NIST SP 800-171 Assessment should be directed to your DCMA representative.

For more information, please see: https://www.sprs.csd.disa.mil/default.htm 

How do I determine my “NIST SP 800-171 Score?”

The “NIST Score” is actually in reference to the Department of Defense (DOD) Assessment of NIST SP 800-171. NIST does not have a role in setting or determining a vendor’s score or completing the assessment. DOD uses NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, as part of their acquisition process to set cybersecurity requirements for DOD suppliers that store, transmit, or process CUI. Refer to the FAQ (above) about assistance on conducting a NIST SP 800-171 assessment. 

What is the relationship between CMMC and NIST Special Publications (SP) 800-171 and SP 800-171B?

CMMC requirements are determined by the DOD CMMC Program Office.  Specifics on the requirements, assessments and maintenance for those should be directed to DOD. For information about the CMMC program, please see: https://www.acq.osd.mil/cmmc/index.html 

The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life.  Federal Information Security Modernization Act (FISMA) established NIST as the responsible agency for development of information security standards and guidelines for federal information systems.  NIST published Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” or NIST 800-171 for short.

NIST based 800-171 on 800-53, but removed controls, or parts of controls, that were uniquely catered to federal organizations. The framework consists of 14 Control Families, whereas CMMC contains 17 Domains.

NIST 800-171 is a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities.  For Government Contractors supporting the Department of Defense (DoD), CMMC Level 2 and DFARS 7012 require NIST 800-171 compliance across information systems and policies.

NIST 800-171 is a comprehensive set of requirements containing 28 basic security requirements and 81 derived security requirements.  That’s a total of 110 requirements across the entire scope of NIST SP 800-171! CMMC contains 17 Domains and 171 Practices

NIST Control Family and associated CMMC Domains.

CMMC: Access Control (AC)

NIST: 3.1 Access Control 

The Access Control family is one of the largest control families in NIST 800-171.  In general, this control family specifies controls around limiting system access to authorized users and making sure that those authorized users are only able to do specified actions based on the company policies.  All requirements in Access Control family requirements are traced to NIST 800-53 and most controls require both a procedural and technical control to implement the procedure. 

NIST Basic Requirements:              2

NIST Derived Requirements:         20

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Awareness and Training (AT)

NIST: 3.2 Awareness and Training

Ensuring managers, administrators and end users receive the proper security and awareness training on both usage of the information system, as well as insider threats, is essential to satisfying NIST 800-171 Awareness and Training requirements.  All three of the requirements specifically map to the Awareness and Training (AT) family in NIST 800-53 and are handled with procedural controls.  They do not require a technical control; however, a control enhancement might be implementation of a learning management system to maintain electronic training records. 

NIST Basic Requirements:               2

NIST Derived Requirements:         1

Procedural Controls:               Yes

Technical Controls:                  No

CMMC: Audit and Accountability (AU)

NIST: 3.3 Audit and Accountability

Audit and Accountability requirements focus specifically on ensuring that organizations audit generation and reporting capabilities sufficiently support proper security monitoring and management needed for a secure environment.  These requirements map directly to the NIST 800-53.  Most of these controls require both a procedural and technical implementation. You can read more about Control Family 3.3 here.

NIST Basic Requirements:              2

NIST Derived Requirements:         7

Procedural Controls:               Yes

Technical Controls:                  No

CMMC: Configuration Management (CM)

NIST: 3.4 Configuration Management

Configuration Management requirements focus on ensuring organizations have a formalized change control and technical controls that ensure processes are appropriately followed across your entire IT enterprise.  Remember, the entire enterprise includes servers, services and client systems. This extensive set of requirements may require creation of governance processes or significant modifications.  All requirements maps directly to the Configuration Management (CM) family in NIST 800-53 and include procedural and technical controls. You can read more about Control Family 3.4 here.

NIST Basic Requirements:        2

NIST Derived Requirements:    7

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Identification and Authentication (IA)

NIST: 3.5 Identification and Authentication

Pay special attention to the Identification and Authentication requirements which ensure that systems are properly identifying users and processes acting within an IT environment.  Multi-factor Authentication in NIST 800-71 is one of the primary requirements in this control family and it is a big deal!  These requirements map directly to the Identification and Authentication (IA) family in 800-53 and like some of the previous categories, this family requires both procedural and technical controls across almost all requirements. You can read more about Control Family 3.5 here.

NIST Basic Requirements:               2

NIST Derived Requirements:         9

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Incident Response (IR)

NIST: 3.6 Incident Response

Don’t be fooled.  The Incident Response family only has three requirements; however, implementation of these efforts is significant.  NIST 800-171 Incident Response (IR) requirements map to NIST 800-53 Incident Response (IR) requirements and ensures processes exist to respond to operational incidents and report to the government. Testing is the key to success for the third-party requirement once processes and controls are implemented. We can’t stress this enough; test, test, test!

NIST Basic Requirements:               2

NIST Derived Requirements:         1

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Maintenance (MA)

NIST: 3.7 Maintenance

Implementations with Cloud Service Providers have fewer maintenance requirements for NIST 800-171 compliance. Cloud Service Providers (CSP) provide the hardware maintenance and disposal. However, there is a requirement that speaks directly to Multi-factor Authentication for remote maintenance sessions that can be tricky.  This family maps directly to the Maintenance (MA) Family in NIST 800-53.

NIST Basic Requirements:               2

NIST Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Media Protection (MP)

NIST: 3.8 Media Protection

Worried about moving to a CSP? The Media Protection (MP) requirements may provide the cost justification needed to make the switch from on-premises to a CSP.  Media protection controls are derived from NIST 800-53 MP and Contingency Planning (CP) Family.  The requirements focus on the protection of CUI content in both paper and digital mediums.  Both policy and technical controls are required.  Organizations using a CSP may have many controls included as a component of standard datacenter services. Learn more about Media Protection here.

NIST Basic Requirements:               3

NIST Derived Requirements:         6

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Personnel Security (PS)

NIST: 3.9 Personnel Security

Personnel Security (PS) requirements are primarily handled via procedural controls outside of the purview of an IT system.  However, there are components that require user access to be properly revoked upon termination or transfer.  This is the smallest family within NIST 800-171 and relates directly to the Personnel Security (PS) Family in NIST 800-53.

NIST Basic Requirements:               2

NIST Derived Requirements:         0

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Physical Protection (PE)

NIST: 3.10 Physical Protection

This family of requirements include procedural controls outside of the IT system management.  Physical protection is a big deal for on-premises enterprises.  Physical Protection may be especially challenging and expensive for small businesses.  Alternatively, an approved CSP can provide a cloud environment that meets NIST 800-171 physical protection requirements.  These requirements map directly to the Physical Protection domain within CMMC. Read more about Physical Protection and how elements of these requirements are met in Office 365 GCC High.

NIST Basic Requirements:             2

NIST Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  No

CMMC: Risk Management (RM)

NIST: 3.11 Risk Assessment

Risk Management requirements are primarily a procedural and paper-based exercise.  The derived requirements are technical in nature directly aligned with the RA family in NIST 800-53.  There are three requirements which relate to identifying and remediating vulnerabilities in the information system.  Size and complexity of the information system will determine the size of this effort.  Beware, this could be a significant effort.  

NIST Basic Requirements:            1

NIST Derived Requirements:         2

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: Security Assessment (CA)

NIST: 3.12 Security Assessment

CMMC Security Assessment requirements include periodic and continual assessments. The purpose of these assessments is to identify and close any gaps that may present themselves during system operation. There are only three requirements, but they work as a loop that ensures continual improvement and control.  This control family relates specifically to the Security Assessment and Authorization Management in NIST 800-53.

NIST Basic Requirements:               3

NIST Derived Requirements:         0

Procedural Controls:               Yes

Technical Controls:                  No

CMMC: System and Communications Protection (SC)

NIST: 3.13 System and Communications Protection

Pay close attention to System and Communications Protection requirements because they are one of the largest and most complex tasks to implement.  This family of controls ensures that organizational information systems include sufficient monitoring, controlling and protection of all communications, internally and externally.  Implementation requires significant procedural and technical controls. Requirements map across multiple NIST 800-53 families, including portions of both System and Services Acquisition Management (SA) and Security Control (SC) Families.

NIST Basic Requirements:               2

NIST Derived Requirements:         14

Procedural Controls:               Yes

Technical Controls:                  Yes

CMMC: System and Information Integrity (SI)

NIST: 3.14 System and Information Integrity

System and Information Integrity requirements is primarily focused on ensuring that malware and other malicious code do access information system.  Additionally, these requirements identify potential attacks and indicators of potential attacks.  Procedural controls for this family are straight forward for most organizations.  However, technical implementation of the controls for on-premises environments can be challenging given the speed and frequency with which attacks and their attackers change tactics.  This requirement set maps to the Systems and Communications Protection (SI) Family in NIST 800-53.

NIST Basic Requirements:               3

NIST Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  Yes