The responsibility for securing highly sensitive US federal information — including national security information — does not fall on the federal government alone. Anyone who touches this data is responsible for its protection.
Contractors, subcontractors, and other third parties and vendors that work with federal agencies like the United States Department of Defense (DoD) commonly handle sensitive government data called controlled unclassified information (CUI). These contractors are responsible for adhering to the National Institute of Standards and Technology Special Publication 800-171, or NIST SP 800-171 framework.
What Is NIST SP 800-171?
The National Institute of Standards and Technology — which has issued numerous standards in addition to 800-171 in the century-plus that it has been around — is a non-regulatory agency under the US Department of Commerce. Its stated mission is to “promote US innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
The 800-171 framework defines a set of best practices for non-government entities to secure CUI and maintain effective cybersecurity programs. Many compliance laws, regulations, and requirements — like the Cybersecurity Maturity Model Certification, or CMMC — align closely with the NIST SP 800 framework.
Who does NIST SP 800-171 apply to?
Most contractors and subcontractors working anywhere in the federal supply chain understand their need to be NIST-compliant or go home. The DoD works with these third-party companies in many essential capacities — and that work requires the sharing of sensitive data. Common types of government contractors include:
- Defense contractors
- Financial organizations
- Healthcare organizations
- Colleges and universities
- Science and research institutes
- Web, communication, and tech providers
This is by no means an exhaustive list. Implementing NIST SP 800-171 is necessary for any and all companies handling CUI. It’s the game you have to play if you want to contract with the feds.
What is CUI (Controlled Unclassified Information)?
CUI is defined as “information the government creates or possesses or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
More directly, CUI is government data that, while not classified, is still sensitive and therefore requires special security controls and safeguards.
There are a lot of types of CUI. The National Archives and Records Administration (NARA) has defined 20 categories and 124 subcategories of CUI that must be protected. These categories include data in critical infrastructure, defense, export control, finance, international affairs, law enforcement, patents, transportation, legal and nuclear policies and procedures — and many more.
Why does CUI need safeguarding?
While the ubiquitous spy-thriller catchphrase of “that’s classified” may carry more pop culture weight than its “unclassified” counterpart, a whole lot of unclassified data is still highly sensitive. Breaches of unclassified data can disrupt economic and national security programs and procedures, leading to potentially disastrous consequences to organizational operations, financial assets, and individuals.
Furthermore, the loss or improper protection of CUI can have a direct impact on national security — and cybersecurity threats facing the federal government and DoD are steadily on the rise, whether they’re due to leaks, espionage, or negligence.
Companies that do not comply with NIST 800-171 to effectively safeguard CUI face the consequences of rapidly canceled contracts, lawsuits, fines, and reputational damage.
What are the NIST 800-171 controls?
If you are a contractor working with the US Department of Defense (DoD), you may be required to comply with the NIST 800-171 controls. These controls are a set of guidelines that ensure the protection of controlled unclassified information (CUI) in non-federal information systems and organizations. The guidelines outline the minimum security requirements that must be met to safeguard the confidentiality, integrity, and availability of CUI.
The NIST 800-171 controls are divided into 14 families, which cover topics such as access control, awareness and training, incident response, and system and communications protection. Compliance with these controls requires an organization to conduct regular risk assessments, develop and implement security plans, and maintain documentation demonstrating compliance. By adhering to these controls, contractors can better protect sensitive information and maintain the trust of the DoD.
NIST SP 800-171 standards and requirements
1. Access Control
22 requirements to safeguard the flow of sensitive information within networks and systems — and protect access to those networks and systems.
2. Awareness and Training
3 requirements to ensure that system administrators, users, and employees know the cybersecurity risks that they face — and are trained in security procedures.
3. Audit and Accountability
9 requirements for auditing and analyzing system and event logs — including recording, storing, and reviewing records.
4. Configuration Management
9 requirements to configure hardware and software across systems and networks, prevent unauthorized software installation, and restrict nonessential programs.
5. Identification and Authentication
11 requirements to identify authorized users, monitor password procedures and policies, and enforce distinctions between privileged and non-privileged access.
6. Incident Response
3 requirements to ensure that capabilities are in place to detect, contain, and recover data for a variety of cybersecurity incidents — plus test these capabilities.
6 requirements to determine best practices around network maintenance procedures — and make sure they are performed regularly and by authorized parties.
8. Media Protection
9 requirements to establish best practices for management or deletion of sensitive data and media — both physical and digital.
9. Personnel Security
2 requirements to safeguard CUI associated with personnel and employees — first, to screen individuals before they access sensitive data, and second, to terminate or transfer authorization.
10. Physical Protection
6 requirements to control physical access to CUI, including visitor access to worksites, hardware, devices, and equipment.
11. Risk Assessment
2 requirements for organizations to regularly scan their systems for vulnerabilities, keep network devices and software updated and secure, and otherwise regularly perform risk assessments.
12. Security Assessment
4 requirements to ensure that plans to safeguard CUI remain effective by developing, monitoring, renewing, and reviewing system controls and security plans and procedures.
13. System and Communications Protection
16 requirements to monitor systems that transmit information, restrict the unauthorized transfer of information, and enact best practices around encryption policies.
14. System and Information Integrity
7 requirements to monitor the ongoing protection of systems within the organization, including processes for identifying unauthorized use and the performance of system security alerts.
NIST 800-171 compliance checklist
To comply with NIST 800-171, you must pass an audit by a certified entity or cybersecurity partner. Before the audit, you need to take some initial steps that are not overly complex or time-consuming. To help you prepare for a smooth NIST audit, follow this convenient checklist:
1. Identify the scope of your compliance efforts: The first step is to determine the scope of your compliance efforts. This involves looking at NIST 800-171 and identifying which controls and requirements apply to your organization. You may need to undergo additional training, implement stronger physical access controls, and establish a media protection process.
You should also adjust your system boundaries to ensure that only the necessary parts of your organization are included in the compliance scope. By identifying the scope of your compliance efforts, you can focus your resources more effectively and ensure that you are meeting all of the necessary requirements.
2. Gather necessary documentation: To pass a NIST 800-171 compliance audit, you need to have documentation that all controls and requirements are being met. You will need to gather documentation in several areas before the audit, including system and network architecture, system boundaries, data flow, personnel, process and procedures, and anticipated changes.
By gathering this documentation, you can demonstrate that you have a comprehensive understanding of your organization’s security posture and are taking appropriate measures to protect Controlled Unclassified Information (CUI).
3. Conduct a gap analysis and review: It’s important to understand where the gaps are between your current state and being fully NIST 800-171 compliant. Focus on the primary access control requirements and work your way down. Document any design flaws or control gaps so you can make the necessary changes.
An experienced NIST partner can help you create the most comprehensive gap analysis possible and system review. By conducting a gap analysis and review, you can identify areas where you need to improve your security posture and take appropriate measures to address any deficiencies.
4. Develop a security plan and remediation plan: Once you have completed your gap analysis, you can begin planning on a variety of fronts. First, you’ll want to formulate and document a NIST-compliant overall security plan. This plan should outline your organization’s security goals, objectives, and procedures.
You should also create a remediation plan in case CUI is compromised, which should be in alignment with NIST requirements to avoid penalties. Finally, you’ll want a Plan of Action and Milestones (POAandM) to ensure the entire project stays on track. By developing a security plan and remediation plan, you can ensure that your organization is well-prepared to respond to any security incidents and can minimize the impact of any breaches.
5. Collect audit trail evidence: As you make changes towards compliance, you’ll want to produce audit-trail evidence showing what you’ve done and to ensure accountability. This includes identifying the audit requirements you’ll be addressing based upon the 14 NIST 800-171 criteria as listed above.
Audit trail evidence can include system logs, security incident reports, and other documentation that demonstrates that you are meeting the necessary requirements. By collecting audit trail evidence, you can demonstrate to auditors that you are taking appropriate measures to protect CUI and ensure that you are in compliance with NIST 800-171.
NIST SP 800-171 compliance in 2023
Many DoD contractors need to become not only NIST compliant but also adhere to the CMMC. According to CMMC 2.0 updates and enhancements announced in November 2021, certification requirements vary depending on the sensitivity of the CUI a company handles.
To start, organizations need to evaluate their security programs in terms of access controls, risk management, an incident response plan, and more. 110 controls may sound like a lot, but BigID’s automated, ML-based security capabilities have organizations covered when it comes to NIST SP 800-171 — and CMMC 2.0 — compliance.
Look to BigID for: deep and wide data classification functionality that includes NLP, fuzzy classification, and graph technology; automated risk scoring that measures risk based on a variety of data types; file access intelligence that identifies overexposed data and over privileged users; a breach data app that simplifies incident response following a breach; and much more.
With the deepest data discovery foundation out there, BigID can help any company find and protect all their high-risk, regulated CUI; proactively reduce risk on their most sensitive data; remediate, retain, or discard sensitive government information; and ultimately bring their security programs up to NIST compliance standards.
Set up a quick demo to learn more about how to secure CUI with BigID — and land more of those big government contracts.