If you are reading this article, chances are you are here because you recently were notified by a customer or vendor who is requiring you to become NIST 800-171 compliant. NIST is the National Institute of Standards and Technology which created a set of standards and security framework to help ensure that a base level of security practices are adhered to among government agencies and organizations who interact with or on behalf of various government entities. NIST 800-171 was introduced several years ago and required that all organizations who work directly or indirectly with the U.S. government and share Controlled Unclassified Information (CUI) to adhere to the NIST 800-171 standards by the deadline of December 31st, 2017. Over time, revisions have been made to this standard and it is best to visit www.nist.gov for the latest information regarding this and other standards. Lastly, it is important that you understand that compliance is not a certification but rather a confirmation that you continue to operate and have controls in place to remain in compliance with the standards.
Becoming NIST 800-171 compliant can be a multi-phase and multi-year process for many government contractor and sub-contractors that handle Controlled Unclassified Information (CUI). To become compliant, a business may need to invest in new software products, re-configure existing systems, implement stronger physical
security controls
and develop new internal processes. There are 14 sections within NIST 800-171 r.1 that businesses will be assessed on and which they will be expected to comply. Below is a brief description of each NIST 800-171 section.
Section 1:
Access Control - Limiting system access to only those who need it and to ensure the principle of least privilege is adhered to.
Section 2:
Awareness and Training - Guaranteeing employees receive IT security awareness training and to ensure all employees understand applicable policies and procedures.
Section 3:
Audit and Accountability - Ensuring that employee activity is tracked and logged within systems so that employees who act unlawfully can be held accountable for their actions.
Section 4:
Configuration Management - Tracking changes made to IT security configuration settings.
Section 5:
Identification and Authentication - Ensuring any users accessing systems can be identified and that all users must authenticate their identity in order to gain system access.
Section 6:
Incident Response - Making certain the company has an incident response plan that includes detection of and recovery from a security breach.
Section 7:
Maintenance - Ensuring IT security best practices are followed when conducting systems maintenance.
Section 8:
Media Protection - Ensuring CUI that is stored on devices is properly marked, protected and disposed of.
Section 9:
Personnel Security - Making certain individuals are screened prior to gaining authorization to access systems.
Section 10:
Physical Protection - Ensuring physical IT infrastructure is properly safeguarded.
Section 11:
Risk Assessment - To periodically assess IT security risks and remediate any vulnerabilities discovered.
Section 12:
Security Assessment - To periodically assess the IT security controls to determine if controls are effective in their application.
Section 13:
System and Communications Protection - Ensuring IT systems are monitored and that CUI data is protected whether it be at rest or in transmission.
Section 14:
System and Information Integrity - Ensuring systems are properly protected against cyberattacks.
The Walker Group provides
NIST 800-171 assessments
and assists our clients with becoming compliant. [Contact Us] if your business is looking for a consultant that can help you navigate its IT security compliance needs.
For more information regarding NIST 800-171, please
click here.