NIST SP 800-171: What the Requirements Are and How to Be Compliant

The deadline for Department of Defense (DoD) contractors to implement the requirements of NIST Special Publication 800-171 was 31 December 2017, according to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Companies that failed to do so are in a tough situation: They risk removal from the approved DoD vendor list, which can lead to financial losses. Contractors of other federal and state agencies also have to be familiar with the standard, since agencies may ask them to prove compliance with NIST SP 800-171 at any moment.

Netwrix is ready to help those who are not familiar with NIST 800-171. Below, we summarize its key requirements and share basic recommendations for getting started with the new regulation.

What is NIST 800-171

Created in June 2015, NIST Special Publication 800-171 covers the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations. It aims to help organizations that provide services to federal or state agencies ensure that systems that process or store CUI are secure and under strict control.

The requirements of NIST 800-171 are very similar to another standard, NIST 800-53; however, NIST 800-171 is designed specifically for non-federal organizations that process, store or transmit sensitive federal information, such as:

  • Government contractors
  • Universities and research institutions
  • Consulting companies
  • Service providers
  • Manufacturing companies that work on contract for government agencies

What is Controlled Unclassified Information?

Executive Order 13556 established a government-wide CUI program in order to “standardize the way the executive branch handles unclassified information that needs protection.” CUI is any information created by the government that is unclassified but still needs protection. This includes emails, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records. All the categories of sensitive information protected by NIST 800-171 are outlined in the CUI registry.

Control Families and Requirements

NIST SP 800-171 consists of 14 control families that provide guidelines for protecting CUI that is stored and processed in nonfederal systems and organizations. These requirements have a well-defined structure that consists of two sections: basic security requirements and derived security requirements. The high-level basic security requirements were adopted from FIPS Publication 200, while the derived security requirements were adopted from NIST SP 800-53 and complement basic security requirements. Here is a brief description of each control family:

  1. Access Control

This family is the largest in NIST SP 800-171, with 22 controls. You need to monitor all access events in the IT environment and limit access to systems and data. NIST 800-171 recommends focusing on the following actions:

  • Implement the least-privilege principle.
  • Control the flow of CUI within the organization and encrypt it on mobile devices.
  • Monitor and control remote access.
  • Control and restrict use of mobile devices.
  • Separate duties of individuals to prevent aberrant activities.
  • Authorize and protect wireless access using encryption and authentication.
  1. Awareness and Training

This set of controls requires you to ensure that managers, system administrators and other users are aware of the security risks associated with their activities. They have to be familiar with the organization’s security policies and basic cybersecurity practices so they can recognize and respond to insider and outsider threats. The best way to ensure proper awareness is to give employees security training on a regular basis.

  1. Audit and Accountability

This family consists of 9 controls and requires you to retain audit records for use in security investigations and to keep users accountable for their actions. Organizations need to collect and analyze audit logs to detect unauthorized activities and respond to them promptly. Several steps will help you implement these controls:

  • Review and update audited events.
  • Report on failures in audit process.
  • Generate reports to support on-demand analysis and provide evidence of compliance.
  • Protect audit systems from unauthorized access.
  1. Configuration Management

This family also consists of 9 controls. You have to establish and maintain baseline configurations, which involves controlling and monitoring user-installed software and all changes made to organizational systems. You will need to focus on the following activities:

  • Define and document any events where access was restricted due to changes to IT systems.
  • Employ the principle of least functionality by configuring systems to provide only essential capabilities.
  • Restrict, disable, or prevent the use of programs, functions, protocols and services that are not essential.
  • Blacklist unauthorized software.
  1. Identification and Authentication

This family includes 11 controls designed to prevent unauthorized access to critical systems and mitigate the risk of data loss. You need to be able to verify the identities of users, processes and devices in your network and follow some basic rules:

  • Use multifactor authentication for network and local access.
  • Disable user accounts if they are inactive for a long time.
  • Create a strong password policy, which involves enforcing a minimum level of password complexity and storing only encrypted passwords.
  1. Incident Response

Although the scope of this control family is rather narrow, incident response capabilities are critical if you want to comply with NIST SP 800-171. You will require a viable incident response strategy that enables you to promptly respond to any incident that could result in a data breach or system downtime. The best recommendation here is to implement capabilities to detect, analyze and respond to security incidents; report on these incidents to appropriate officials; and test your incident response plan regularly.

  1. Maintenance

Improper system maintenance can result in disclosure of CUI, so it poses a threat to the confidentiality of that information. Therefore, you are required to perform maintenance regularly and follow several rules:

  • Keep a close watch on individuals and teams that perform maintenance activities.
  • Ensure that equipment removed for off-site maintenance does not contain sensitive data.
  • Ensure that media containing diagnostic and test programs are free of malicious code.
  1. Media Protection

This control family requires you to ensure the security of system media that contain CUI, which includes both paper and digital media. You will need to adopt several measures:

  • Control and limit access to media.
  • Implement cryptographic mechanisms to protect CUI stored on digital media.
  • Before disposal, make sure that system media does not contain any CUI.
  • Forbid the use of portable storage devices when they have no identifiable owner.
  1. Physical Protection

Physical protection includes the protection of hardware, software, networks and data from damage or loss due to physical events. NIST SP 800-171 requires organizations to perform several activities to mitigate the risk of physical damage:

  • Limit physical access to systems and equipment to authorized users.
  • Maintain audit logs of physical access.
  • Control physical access devices.
  1. Personnel Security

This rather small family of controls requires you to monitor user activities and ensure that all systems that contain CUI are protected during and after actions of personnel, such as employee terminations and data transfers.

  1. Risk Assessment

Organizations that are subjects to NIST SP 800-171 have to evaluate potential risks to their IT environments on a regular basis. They also need to scan for vulnerabilities in critical systems and applications and remediate them in accordance with the results of the risk assessment.

  1. Security Assessment

Your organization must monitor and assess its security controls to determine if they are effective enough. You need to have a plan that describes system boundaries, relationships between systems and procedures for implementing security requirements, and update it periodically. Finally, you need to implement an action plan to reduce or eliminate vulnerabilities in critical systems.

  1. System and Communications Protection

This rather large family consists of 16 controls for monitoring, controlling and protecting information that is transmitted or received by IT systems. This involves several activities:

  • Prevent unauthorized transfer of information.
  • Build up sub-networks for publicly accessible system components that are separated from internal networks.
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI.
  • Deny network communications traffic by default.
  • Control and monitor the use of mobile code and VoIP technologies.
  1. System and Information Integrity

This group of controls requires you need to quickly identify and correct system flaws, as well as protect critical assets from malicious code. This includes the following tasks:

  • Monitor and immediately respond to security alerts to detect unauthorized use of IT systems and cyber attacks.
  • Perform periodic scans of IT systems, and scan files from external sources as they are downloaded, opened or executed.
  • Update malicious code protection mechanisms (such as antivirus and anti-malware) as soon as the new versions are available.

Seven Steps to Protect Controlled Unclassified Information

Whether you are new to NIST SP 800-171 or just need a way to double-check your work so far, there are seven steps that will help you ensure compliance with NIST 800-171:

Step#1. Seek advice from your federal or state agency. Even if you are not a DoD contractor, if you provide services to other government agencies, there is a good chance that those agencies will ask you to prove your compliance with NIST SP 800-171. You need to make sure that you fully understand what your federal or state agency expects from you and their deadlines.

Step#2. Define CUI as it applies to your organization.  Identify where CUI is stored, processed or transmitted in your network.

Step#3. Perform gap analysis. Evaluate your security posture to determine where you are currently compliant and where you need additional work.

Step#4. Prioritize the requirements of NIST SP 800-171. Use it to plan the actions you need to take.

Step#5. Implement changes according to the results of your gap analysis and prioritization.

Step#6. Ensure your subcontractors are compliant. Even if you have achieved compliance with NIST SP 800-171, that does not mean your subcontractors are also compliant. You need to make sure that they are familiar with all the requirements and have the necessary controls in place.

Step#7. Designate a professional responsible for compliance. NIST 800-171 provides general recommendations on how to protect CUI, so you need to designate a person who will be responsible for preparing documentation and evidence of how your organization is protecting CUI, as well as engaging your IT team and management in the compliance process. Another good practice is to hire a consultant who provides advisory and assessment services to help you meet your NIST SP 800-171 needs.

Want to know more about NIST Special Publication 800-171? Visit the official page in NIST’s Computer Security Resource Center (CSRC): https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final