Protecting CUI With NIST SP 800-171: How to Stay Compliant
In 2017, the National Institute of Standards and Technology (NIST) released guidance for Special Publication (SP) 800-171, which helps organizations secure their information systems. This glossary page aims to help businesses understand what they need to do to comply with NIST SP 800-171. We will cover the basics of compliance and what businesses can do to get started.
What Is NIST SP 800-171?
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) is a set of security standards businesses must implement to protect sensitive information from unauthorized access. NIST SP 800-171 applies to all organizations that handle controlled unclassified information (CUI), which includes any data that could potentially harm national security if it is compromised or otherwise accessed by unauthorized users. While NIST SP 800-171 is not mandatory for all businesses, many industries are beginning to adopt these standards as best practices for data security.
NIST SP 800-171 Protection Requirements
NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is a set of guidelines established by the National Institute of Standards and Technology (NIST) to ensure the security and confidentiality of controlled unclassified information (CUI) shared by federal agencies with nonfederal entities. This includes academic institutions, state and local governments, and private sector organizations that handle CUI on behalf of the federal government.
The document outlines 14 families of security requirements, including access control, awareness and training, incident response, and risk assessment, among others. These requirements protect CUI’s confidentiality, integrity, and availability while minimizing the risk of unauthorized access and disclosure.
Organizations handling CUI are expected to implement the security measures outlined in NIST SP 800-171 to demonstrate compliance with federal requirements. By adhering to these guidelines, nonfederal entities can ensure consistent protection for sensitive information, which is critical to maintaining trust between the federal government and its partners.
What Is Controlled Unclassified Information (CUI)?
Controlled unclassified information (CUI) is unclassified information that requires safeguarding or dissemination controls according to law, Presidential decree, or directive. CUI includes information that the government creates or possesses and shares with contractors, grantees, and others outside of the government. The purpose of CUI is to protect information from unauthorized disclosure while ensuring its availability to those who have a legitimate need for it.
What Are the Goals of NIST SP 800-171?
The goals of NIST SP 800-171 are to facilitate the implementation of information security programs within federal agencies by giving them standard language and requirements to use. To help organizations better manage risk, NIST SP 800-171 is designed to raise their awareness of security risks and focus their attention on priorities. These standards aim to help organizations protect their data, especially sensitive information. NIST SP 800-171 contains guidance on properly managing access control, administrative privileges, physical security, and more. By following the recommendations in this standard, organizations can greatly reduce their risk of data breaches or theft.
Who Does NIST SP 800-171 Apply To?
NIST SP 800-171 applies to all federal agencies, contractors, and other organizations that work with the federal government. If your organization handles CUI, you must comply with NIST SP 800-171.
Covered entities, namely organizations like contractors and subcontractors that do business with the federal government, must develop, document, and implement a security program to address the security requirements outlined in NIST SP 800-171. All covered entities should consider hiring a qualified third-party consultant to help develop and implement a security program to comply with this standard.
Who Is Responsible for Implementing NIST SP 800-171?
For the entities covered under NIST SP 800-171, each agency’s Chief Information Security Officer (CISO) is responsible for implementing NIST SP 800-171. The CISO is responsible for providing oversight to ensure that the requirements are effectively implemented and managed within the agency.
What Are Some Basic Compliance Requirements With NIST SP 800-171?
NIST SP 800-171 consists of 14 basic requirements that provide guidelines for protecting CUI stored and processed in nonfederal systems and organizations. These requirements have a well-defined structure consisting of basic and derived security requirements. The basic security requirements are adopted from FIPS Publication 200. The derived security requirements, in contrast, are adopted from NIST SP 800-53 and complement the basic security requirements. The control families include:
1. Access Control
This family of requirements is the largest under NIST SP 800-171. It contains 22 controls. Under Access Control, organizations need to monitor all access events in the IT environment and limit access to systems and data. Under Access Control, NIST SP 800-171 recommends:
- Implementing the least-privilege principle
- Controlling the flow of CUI within an organization and encrypting it on mobile devices
- Monitoring and controlling remote access
- Controlling and restricting the use of mobile devices
- Separating duties of individuals to help prevent irregular activities
- Authorizing and protecting wireless access by use of encryption and authentication
2. Awareness and Training
This family of controls requires businesses to ensure that managers, system administrators, and other users know the security risks associated with their activities. They must be familiar with the organization’s security policies and basic cybersecurity practices to recognize and respond to insider and outsider threats.
3. Audit and Accountability
This family consists of nine controls. It requires organizations to retain audit records to use in security investigations and to keep users accountable for their actions. Organizations must collect and analyze audit logs to detect any unauthorized activity and respond promptly. Several steps can help implement these controls:
- Review and update audited events
- Report on failures in the audit process
- Protect audit systems from unauthorized access
- Generate reports that support on-demand analysis and provide compliance evidence
4. Configuration Management
In this family of requirements, businesses have to establish and maintain baseline configurations, which involve controlling and monitoring user-installed software and any changes made to your organization’s systems. Organizations will need to focus on:
- Documenting all events where access was restricted due to changes to IT systems
- Employing the principle of least functionality by configuring systems to provide only essential capabilities
- Restricting, disabling, or preventing the use of programs, functions, protocols, and services that are not essential
- Blacklisting unauthorized software
5. Identification and Authentication
This family of requirements ensures that only authenticated users can access the organization’s network or systems. It has 11 requirements that cover password and authentication procedures and policies. It also covers the reliable identification of users. Requirements to ensure the distinction between privileged and non-privileged accounts are reflected in network access.
6. Incident Response
Here, organizations must have an incident response strategy that allows prompt response to any incident that could result in a data breach. An organization can implement capabilities to detect, analyze, and respond to security incidents and report on these incidents to appropriate officials—and regularly test its incident response plan.
Improper system maintenance may result in the disclosure of CUI, so it poses a threat to the confidentiality of the information. Businesses are required to perform regular maintenance by following rules such as:
- Keeping a close watch on individuals and teams that perform maintenance activities
- Ensuring that equipment removed for off-site maintenance does not contain sensitive data
- Ensuring that media containing diagnostic and test programs are free of malicious code
8. Media Protection
The Media Protection control family requires you to ensure the security of system media containing CUI, including both paper and digital media.
9. Physical Security
Physical Security includes the protection of hardware, software, networks, and data from damage or loss due to physical events. The NIST SP 800-171 requires organizations to perform several activities to mitigate the risk of physical damage, such as:
- Limiting physical access to systems and equipment to authorized users
- Maintaining audit logs of physical access
- Controlling physical access devices
10. Personal Protection
This is a small family of controls that requires businesses to monitor user activities and ensure that all systems containing CUI are protected during and after personnel actions, such as employee terminations and transfers.
11. Risk Assessment
There are two requirements that cover the performance and analysis of regular risk assessments. Organizations are required to regularly scan systems to check for vulnerabilities, keeping network devices and software updated and secure. Regularly highlighting and strengthening vulnerabilities improves the security of the entire system.
12. Security Assessment
An organization must monitor and assess its security controls to determine if it is effective enough to help keep data secure. Organizations need to have a plan describing system boundaries, relationships between different systems, and procedures for implementing security requirements and updating that plan periodically.
13. System and Communications Protection
This is a rather large family comprising 16 controls for monitoring, controlling, and protecting information transmitted or received by IT systems. It involves several activities such as:
- Preventing the unauthorized transfer of information
- Building sub-networks for publicly accessible system components that are separated from internal networks
- Implementing cryptographic mechanisms to prevent any unauthorized disclosure of CUI
- Denying network communications traffic by default
14. System and Information
This group of controls requires businesses to quickly identify and correct system flaws and protect critical assets from malicious code. This includes tasks such as:
- Monitoring and promptly acting on security alerts indicating unauthorized use of IT systems
- Performing periodic scans of IT systems and scanning files from external sources when they are downloaded or acted on
- Updating malicious code protection mechanisms as soon as the new versions are available
Where Can Businesses Go for Help in Understanding and Complying With This Standard?
There are a lot of standards out there for businesses to comply with, and the National Institute of Standards and Technology SP 800-171 is just one of them. It can be tough to keep up with all the different compliance requirements, but luckily, resources are available to help businesses understand and comply with this standard. The National Institute of Standards and Technology website provides information on the 800-171 standard and how businesses can meet its requirements. In addition, many private companies offer compliance consulting services to help businesses ensure that they are meeting all applicable standards.
What Are the Self-assessment Steps for Compliance Under NIST SP 800-171?
Get advice from your federal or state agency. If your organization provides services to other federal government agencies besides DoD, there is a good chance that the agencies will ask you to prove your compliance with NIST SP 800-171.
Define CUI applicable to your organization. Identify where it is stored, processed, or transmitted in the organization’s network.
Perform a gap analysis. Evaluate your security posture to determine where you are currently compliant and where additional work is needed.
Prioritize the requirements of NIST SP 800-171. Use this to plan the actions needed.
Implement changes according to the results of the gap analysis and prioritization.
Ensure subcontractors are compliant. You may have achieved compliance with NIST SP 800-171, but your subcontractors may not necessarily be compliant. You need to ensure that they are familiar with all requirements and have implemented the necessary controls.
Designate someone who will be responsible for compliance. This person will be responsible for preparing documentation and evidence of how your organization is protecting CUI. This person will also be responsible for engaging your IT team and management in the compliance process. You may also elect to hire a consultant who provides advisory and assessment services to help you meet your NIST SP 800-171 needs.
Kiteworks, FedRAMP, and NIST SP 800-171
Kiteworks is a secure file sharing platform that facilitates NIST SP 800-171 compliance. It is a FedRAMP Moderate authorized solution and ensures data is encrypted in transit and at rest. Kiteworks meets all the security requirements specified in NIST SP 800-171 and meets other regulations, including ITAR, GDPR, SOC 2 (SSAE-16), FISMA, and FIPS 140-2.
Kiteworks provides a layer of security and governance over the users and systems holding and transferring sensitive information like CUI. Organizations can schedule a custom demo of Kiteworks to learn more about how to use it to meet NIST SP 800-171 compliance, or contact email@example.com for further information.
Get email updates with our latest blogs news