What is NIST SP 800-171 and What Role Does it Play in Defense Contracting Compliance?
The document library of the NIST website can be daunting and seemingly endless in terms of the various frameworks, controls and requirements that it provides. The 800 series, in particular, while important and, in many cases, necessary, is also hard to penetrate if you don’t already have some knowledge of what it contains. This can challenge organizations working with the DoD supply chain, especially those handling classified or sensitive material.
This article will cover one of these publications: NIST 800-171. This document defines security for a specific form of government information that many contractors under the executive or defense departments: CUI. While important, this document also informs several important security frameworks, namely CMMC.
What is NIST 800-171?
The National Institute of Standards in Technology (NIST) serves a critical role in compliance. This organization regularly posts “special publications” documents that address essential issues of cybersecurity in areas like cloud computing, IT controls, and sensitive government data.
One of the more prominent lines of special publications is the NIST 800 series. This collection of documents defines guidelines, rules and protocols used by the federal government to inform, if not outright shape, compliance standards. For example, NIST 800-53 illustrates a long list of security controls used in federal compliance standards like FedRAMP and NIST 800-30 details policies and procedures used under the Risk Management Framework (RMF).
Another essential publication is NIST 800-171. This document provides government agencies and their contractors with guidelines for protecting what is known as Controlled Unclassified Information (CUI).
What is CUI? CUI is information created as part of government operations deemed sensitive and, as such, in need of special controls and protections against unauthorized access or theft. More specifically, CUI is important yet unclassified information circulating through many federal information systems, primarily those associated with the Defense Department and the Executive Branch.
Why would there be a particular set of instructions for this type of data? It isn’t classified, it isn’t a commercial or corporate secret–and yet, the government has determined that this information calls for unique security in relation to it.
The reality of CUI is that, as part of the operations of the DoD and Executive, it was determined that free access to critical information not related to classified information could still, if not protected and monitored, significantly hinder the operations of certain agencies as well as limit the defensive capabilities of the U.S. military. Executive Order 13556, “Controlled Unclassified Information,” states that the primary issue of managing sensitive information like CUI is that (at the time) most agencies used ad hoc security frameworks to secure their systems. Furthermore, because so much information was moving through so many different systems, it was impossible to predict what data could potentially fall into the wrong hands.
Following the executive order, the NIST was drafted and published in SP 800-171 in 2015. Currently, in its second revision, this document outlines the requirements for securing CUI in IT systems. It draws its requirements from two sources:
- FIPS 200: FIPS 200 defines fundamental security requirements and controls for federal agencies as articulated under the Information Technology Management Reform Act of 1996 (FISMA). Under NIST 800-171, FIPS 200 are considered basic or foundational requirements for handling CUI.
- NIST 800-53: 800-53 is an additional set of controls meant to provide a flexible framework for several applications across multiple applications in the federal government. Under 800-171, controls drawn from 800-53 are considered derived requirements that supplement their basic counterparts.
The controls fall under multiple families that cover areas like Access Control, Incident Response, Risk Assessment, Security Assessment and Media Protection. By and large, there are several overlapping functions that the controls address:
- Cybersecurity: At its heart, NIST 800-171 outlines specific security controls to protect CUI. This includes minimum encryption standards, access control and IAM standards, network security protocols and practices and security assessment.
- Risk Management: Most cybersecurity frameworks turn to risk-based approaches to help inform control adoption and continuous monitoring. Assessing, managing and documenting risk is a significant component of this approach.
- Physical and Administrative Security: NIST 800-171 addresses localized security, such as securing physical data locations and workstations, training your workforce for compliance requirements and maintaining policies for the management, documentation and remediation of these threats. This includes protections for storage media where CUI could be stored, including ways to secure and destroy this media.
- Integrity and Audits: Regular audits to determine compliance, system integrity and risk posture are critical for storing CUI. NIST 800-171 details procedures for successfully managing these efforts.
NIST 800-171 and CMMC
One of the more recent security compliance frameworks in federal work is the Cybersecurity Maturity Model Certification or CMMC. CMMC is a framework created to centralize and streamline security and compliance around CUI in the DoD supply chain. CMMC defines several maturity levels that relate to increasing levels of compliance. More specifically, CMMC defines compliance based on levels of cyber hygiene and capabilities, both of which contribute to your systems’ overall stability and reliability.
While any required CMMC maturity level will be determined, in part, by an RFP or agency requirements, there are steadfast requirements:
- Any contractor or agency to handle Federal Contract Information (FCI) must have at least a CMMC Level 1 certification.
- Any contractor or agency to handle CUI must have at least a CMMC Level 2 certification.
Beyond this, CMMC level 3 defines the requirements for handling data with an eye toward advanced, optimized security infrastructure that can counteract or resist Advanced Persistent Threats (APTs).
However, the entire CMMC framework is focused on one primary goal: preparing and certifying organizations for the management of CUI.
Prepare for CMMC and CUI Security with Lazarus Alliance
If you are an organization that is planning to work with agencies in the DoD supply chain or any area where CUI will be part of your projects, then understanding NIST 800-171 and CMMC is a must. However, it isn’t up to you to understand these requirements independently. Our experts can bring decades of experience in federal and commercial compliance consulting and auditing to streamline your preparation and certification so you can focus on expanding your business.
Ready to Understand CUI and CMMC Requirements?
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.