Blog Layout

How to Become NIST Compliant - A CTO's Guide

What is NIST compliance and how do I become compliant? This article aims to answer those two questions.

If you are reading this article, chances are you are here because you recently were notified by a customer or vendor who is requiring you to become NIST 800-171 compliant. NIST is the National Institute of Standards and Technology which created a set of standards and security framework to help ensure that a base level of security practices are adhered to among government agencies and organizations who interact with or on behalf of various government entities. NIST 800-171 was introduced several years ago and required that all organizations who work directly or indirectly with the U.S. government and share Controlled Unclassified Information (CUI) to adhere to the NIST 800-171 standards by the deadline of December 31st, 2017. Over time, revisions have been made to this standard and it is best to visit www.nist.gov for the latest information regarding this and other standards. Lastly, it is important that you understand that compliance is not a certification but rather a confirmation that you continue to operate and have controls in place to remain in compliance with the standards.

Becoming NIST 800-171 compliant can be a multi-phase and multi-year process for many government contractor and sub-contractors that handle Controlled Unclassified Information (CUI). To become compliant, a business may need to invest in new software products, re-configure existing systems, implement stronger physical security controls and develop new internal processes. There are 14 sections within NIST 800-171 r.1 that businesses will be assessed on and which they will be expected to comply. Below is a brief description of each NIST 800-171 section.

NIST Sections/Key Objective Descriptions:

Section 1: Access Control - Limiting system access to only those who need it and to ensure the principle of least privilege is adhered to.

Section 2: Awareness and Training - Guaranteeing employees receive IT security awareness training and to ensure all employees understand applicable policies and procedures.

Section 3: Audit and Accountability - Ensuring that employee activity is tracked and logged within systems so that employees who act unlawfully can be held accountable for their actions.

Section 4: Configuration Management - Tracking changes made to IT security configuration settings.

Section 5: Identification and Authentication - Ensuring any users accessing systems can be identified and that all users must authenticate their identity in order to gain system access.

Section 6: Incident Response - Making certain the company has an incident response plan that includes detection of and recovery from a security breach.

Section 7: Maintenance - Ensuring IT security best practices are followed when conducting systems maintenance.

Section 8: Media Protection - Ensuring CUI that is stored on devices is properly marked, protected and disposed of.

Section 9: Personnel Security - Making certain individuals are screened prior to gaining authorization to access systems.

Section 10: Physical Protection - Ensuring physical IT infrastructure is properly safeguarded.

Section 11: Risk Assessment - To periodically assess IT security risks and remediate any vulnerabilities discovered.

Section 12: Security Assessment - To periodically assess the IT security controls to determine if controls are effective in their application.

Section 13: System and Communications Protection - Ensuring IT systems are monitored and that CUI data is protected whether it be at rest or in transmission.

Section 14: System and Information Integrity - Ensuring systems are properly protected against cyberattacks.

What is your next step?

The Walker Group provides NIST 800-171 assessments and assists our clients with becoming compliant. [Contact Us] if your business is looking for a consultant that can help you navigate its IT security compliance needs.

For more information regarding NIST 800-171, please click here.

More Recent News

Perpetual Purpose Trust-Ownership Webinar, The Walker Group, Todd Bailey, Jessica Rich, Kate Emery
September 28, 2024
In 2023, The Walker Group made history as the first business in Connecticut to transition to a Perpetual Purpose Trust (PPT)-ownership model. This innovative structure ensures that the company's values, mission and culture are preserved as it transitions beyond its founders, safeguarding them for future generations. In this insightful webinar presentation, we explore key topics such as: ~ What it means to be a Perpetual Purpose Trust (PPT)-owned company ~ Why The Walker Group chose this unique model ~ The legal and financial considerations of adopting a PPT ~ The impact of a PPT on employees and the community This session features The Walker Group's co-CEOs, Jessica Rich and Todd Bailey, along with founder Kate Emery, and expert insights from Jenny Kassan, President of The Kassan Group. Watch the webinar recording to learn more about this progressive, new approach to business succession!
Jessica Rich, co-CEO of The Walker Group
September 24, 2024
The Walker Group is proud to announce becoming Connecticut’s first Perpetual Purpose Trust (PPT)-owned company. This innovative ownership model allows us to prioritize a social mission that benefits our employees, clients, and community. co-CEO Jessica Rich discusses this transformation and its positive impact on Friends with Employee Benefits: A OneDigital Podcast. Tune in to learn more about how our purpose-driven approach is shaping a brighter future!
The Walker Group featured in Nick Romeo’s book, “The Alternative”
By The Walker Group June 17, 2024
The Walker Group featured in Nick Romeo’s book, “The Alternative”
Share by: