NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, focuses on information shared by federal agencies with non-federal entities. Issued by the National Institute of Standards and Technology (NIST), the publication came into force on 1 January 2018 and acts as a guide for federal agencies to guarantee that Controlled Unclassified Information (CUI) is protected when processed, stored, and used in non-federal information systems.
CUI can generally be described as information that is not in the classified category and appeared as a term when federal agencies needed to address the large amounts of unclassified information processed by vendors and service providers.
NIST 800-171 is made up of 109 controls tailored on NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. These aim to protect CUI in nonfederal information systems from unauthorized disclosure.
The controls are separated into 14 families of security requirements: access control, audit, and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection and system and information integrity.
NIST 800-171 applies when there is no specific law that addresses how CUI received from the federal government should be protected. This means that other federal laws or regulations such as the Federal Information Security Management Act of 2014 (FISMA) are not superseded by NIST 800-171, but the publication is meant to be complementary to them, ensuring that any CUI that does not fall within their scope is still protected.
How can companies working with federal agencies become NIST 800-171 compliant? Here is our checklist.
Identify CUI
To comply with NIST 800-171, companies must first and foremost know whether they are receiving and using CUI and where it is being stored. This implies a full audit of company systems and data flows, starting with employee computers and ending with third-party contractors an organization might be working with.
Data identification can be facilitated through tools such as Data Loss Prevention solutions which allow organizations to scan their entire company networks based on specific file types, predefined content, file names, Regular Expressions, or compliance profiles for standards such as NIST 800-171.
Classify Data
Once CUI is identified, it needs to be separated into the categories it belongs to. There are twenty approved CUI categories under NIST 800-171, among them, data relating to critical infrastructure, defense, patents, privacy, and more. Each category comes with its own set of standards it needs to comply with so it is crucial that CUI is classified correctly.
Perform a security assessment
Every company, depending on its size, sector, or the way it processes information, can have different security needs. The first step to developing an effective cybersecurity and data protection strategy, therefore, is to assess existing security measures. In this way, companies can test the strength of existing policies, discover vulnerabilities, and take informed cost-efficient decisions when developing new strategies.
Develop and test baseline controls
Baseline controls are the foundation on which companies build their security and compliance efforts. Some companies that already have cybersecurity policies in place may have already adopted some of them, but it is important to note that baseline controls need to cover all 14 control families listed in NIST 800-171 to be compliant. Generally, baseline controls focus on security against external threats, endpoint protection, security for productivity tools such as Microsoft 365, email and password security, and backup and recovery.
Once the baseline controls have been outlined in a data protection strategy, they need to be tested to verify that they are effective, applied correctly by employees and to identify any potential blind spots that may leave room for a data breach.
Regular risk assessments
To guarantee ongoing NIST 800-171 compliance, companies need to perform regular risk assessments to check that security measures in place can adequately protect CUI against new emerging threats. When vulnerabilities surface, organizations must take steps to mitigate them. With an ever-evolving threat landscape, constant vigilance and improvement are key to maintaining control of CUI.
Document security plans
When it comes to compliance, organizations must be able to provide proof of their efforts to comply with NIST 800-171 requirements. Companies should therefore document their security plans and keep them up to date with any changes that may be implemented at a later date. Documentation is also essential in case a data breach should occur. Companies must show regulatory bodies evidence that such incidents did not occur due to poor security practices on their side which may help reduce or wave penalties.
Data breach response plan
While NIST 800-171 compliance should provide a solid security baseline for a company’s systems, no cybersecurity strategy is foolproof. New vulnerabilities and attack methods may be exploited before a company has a chance to patch its devices or update its security policies. Because of this, data breach response plans are a critical part of any data protection strategy.
Having a data breach response plan in place means that, in case a security incident occurs, companies are prepared and employees know what steps to take to efficiently address it. The faster a data breach is contained, the cheaper it is for a company, and the less likely it is that they will be declared non-compliant with NIST 800-171.
Raising awareness
Once a security plan is implemented, companies must ensure that employees know and understand NIST 800-171 compliance requirements. Organizations need to inform all their personnel about the importance of following security rules and the consequences of non-compliance. They should also explain which policies are most pertinent to different departments and make sure that any policy changes are immediately also communicated to employees.