If you are a defense contractor handling controlled unclassified information (CUI), you must comply with DoD National Institute of Standards (NIST) 800-171. NIST 800-171 is the industry standard for cybersecurity that ensures the protection and confidentiality of this information. Contractors must meet 110 NIST 800-171 requirements since 2017. And while enforcement of NIST 800-171 has been light in the past, enforcement will intensify now that assessments are becoming a reality under CMMC 2.0 .
If you’re new to NIST 800-171, this blog will walk you through what you need to know about the standard and best practices to achieve compliance.
What is NIST 800-171
DFARS 252.204-7012 requires defense contractors to provide “adequate security” for Covered Defense Information (CUI) that is “processed, stored, or transmitted on the contractor’s internal information system or network.” treating”. To provide this level of security, contractors must implement NIST 800-171 and develop a System Security Plan (SSP) and associated action plans.
NIST 800-171 originated in 2010 as an Executive Order (EO) signed by President Obama. The EO created the CUI category and subcategory, making them proprietary designations to identify unclassified information that requires safeguard or release controls.
In 2015, the National Institute of Standards (NIST) released its 800-171 standard. NIST has updated the standard several times since then to respond to evolving cyber threats.
In 2017, the Department of Defense (DoD) enacted NIST 800-171 into law through the DFARS clause.
Today, NIST 800-171 is the standard for all Defense Industrial Base (DIB) defense contractors handling CUIs. Defense contractors must meet the requirements set forth by NIST 800-171 to demonstrate that they provide adequate security or risk being ineligible to work on defense contracts.
Why You Need to Comply with NIST 800-171
Any organization that manages CUIs must comply with NIST 800-171. Defense organizations risk defaulting on their DoD obligations if they fail to comply with controls. Additionally, as CMMC 2.0 is rolled out, compliance will be enforced through assessments from CMMC Third Party Assessor Organization (C3PAO) and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Advocacy organizations also risk a Justice Department investigation if they experience a breach that compromises CUI and were later found to have misrepresented their security status. The Ministry of Justice [DoJ] will potentially use the False Claims Act when it finds these kinds of major discrepancies. NIST’s goal is to protect the data that is so vital to our national security, and the DoJ stands ready to help with that with the False Claims Act.
But compliance isn’t just a check mark on a list. With NIST 800-171, organizations also develop a strong cybersecurity program. By complying with the 110 NIST controls and 14 related domains, organizations will be able to:
- Develop security training and awareness programs
- Develop better data security
- Enable documentation and measurement of their cyber programs
- Ensure that their cybersecurity progress continues into the future
How does NIST 800-171 differ from CMMC 2.0?
For DIB companies seeking CMMC 2.0 compliance, meeting NIST 800-171 is a good place to start. There are, however, key differences between NIST 800-171 and CMMC 2.0.
First, CMMC 2.0 is broken down into three levels. There is level 1 (basic), level 2 (advanced) and level 3 (expert). Most companies will need to achieve level 1 or 2. NIST 800-171 has no levels.
Second, NIST 800-171 has largely been left to self-assessment. In CMMC 2.0, however, self-assessment will be possible for Level 1. For Levels 2 and 3, all organizations will need to be assessed by a DIBCAC assessor.
NIST 800-171 controls
There are 14 families of controls in NIST 800-171, as shown in the table below.
In their System Security Plan (SSP), defense organizations will describe how they meet each of the 110 controls in the 14 security domains and address known and anticipated threats.
Here is an overview of the 14 families.
Ensure that only personnel, accounts, and system processes that require access to CUI have such access.
Awareness and training
Provide appropriate training and skills to those responsible for CUI protection.
Audit and Accountability
The Contractor must know what CUI Information is retained, where it is stored and processed, and by whom, when and where it is processed.
Every component and process in a computer system has a configuration that dictates how it works. By standardizing and managing configurations, systems and software must perform in definable and measurable ways.
Identification and authentication
Employ measures that ensure authorized access is only obtained by those whose identities are confirmed and approved.
A defined response plan that outlines how the business will respond to a breach and ensure the business can resume operations.
The plan the team created to keep computer systems up to date and ensure vulnerabilities are patched, flaws are patched, and subsystems continue to function.
Create policies on how physical media is handled, stored, and transported.
Plan to ensure that employees, contractors, and vendors are properly vetted, authorized, and approved.
Systems that contain CUI may be subject to theft or damage. Protections for portable workstations, laptops, mobile devices, servers and data storage areas to provide protection for CUIs.
Periodic assessments of risks to personnel, systems and information and review of controls to ensure they are adequate.
Periodically test and review security control measures, both logical and physical, to verify that they meet objectives; refine and update as needed.
System and communications protection
Additional measures to protect CUI data from unauthorized exposure; encryption is an important consideration.
Integrity of systems and information
Ensure that the systems and the data and information they process are trustworthy and have not been maliciously or accidentally modified.
How to Achieve NIST 800-171 Compliance
Historically, defense contractors have approached cybersecurity requirements like a checklist. NIST 800-171 and CMMC 2.0 overturn this. Modern cybersecurity in the DIB isn’t about checklists, it’s about developing a data protection mindset.
To achieve NIST 800-171 compliance, you must first Determine where CUI is in your environment. Ideally, you’ll want to condense this environment into a confined area called an enclave. By creating an enclave, you reduce the physical area that needs to be assessed and also reduce the complexity of the compliance exercise as a whole.
Second, you need to deploy a solution to protect your CUI. The PreVeil platform, for example, is ideal for SMBs that only need to protect CUIs in part of their organization. PreVeil supports 84 out of 110 NIST 800-171 checks. It is easy to deploy and use. It is also very affordable and can be downloaded by your third parties for free.
Third, you should perform a self-assessment of your organization against the 110 NIST 800-171 controls. You should detail how you meet each of the controls through a combination of technologies and policies and be able to provide an example of how each control is met. Alternatively, PreVeil can also provide a pre-populated SSP template that can serve as the basis for your own document and help you identify gaps and areas for improvement in your environment.
Lately, you must engage a third-party MSP, MSSP, or RP (registered practitioner) to help you meet the remaining checks that you cannot perform yourself. PreVeil, for example, does not support 26 of the 110 controls and therefore recommends that contractors hire a consultant to help them create and manage a delta closure plan.
Don’t procrastinate. Implementing a consultant’s recommendations and compliance documentation will likely take at least 6 months or more.
PreVeil and NIST 800-171
The key to achieving NIST 800-171 compliance is a multi-pronged approach encompassing both technology and policy. Implement modern technology solutions in conjunction with appropriate policies and procedures to ensure CUI security.
Data protection is paramount. PreVeil’s file sharing and messaging platform supports compliance with virtually all NIST 800-171 mandates related to CUI communication and storage.
PreVeil Drive allows users to encrypt, store and share their files containing CUIs. Users can easily access these files from their computers or mobile devices and share them with vendors and partners.
PreVeil Email is an encrypted email service that meets NIST 800-171 requirements. It adds an encrypted mailbox to Outlook and Gmail. This allows users to send and receive email under their existing email addresses, while protecting that data with military-grade encryption.
These requirements include several contractual requirements beyond the NIST 800-171 security controls, which PreVeil also meets. PreVeil’s key compliance attributes include:
- Compliant with FedRAMP Baseline Medium Equivalent as a cloud service
- Stores encrypted data on FedRAMP High AWS GovCloud
- Complies with DFARS 252.204-7012(c)-(g), which outlines requirements for cyber incident reporting and media preservation
- Uses FIPS 140-2 validated cryptographic module
NIST 800-171 compliance will now ease your company’s journey to the new Level 2 when CMMC 2.0 becomes law. PreVeil can facilitate your compliance with NIST 800-171 now and CMMC 2.0 when it passes.
To learn more about how PreVeil’s Drive and Email platforms can help your organization improve its cybersecurity and move toward NIST 800-171 compliance, please contact us at preveil.com/contact or (857) 353 -6480.
The post Understanding NIST 800-171 and what it means for your organization appeared first on PreVeil.
*** This is a syndicated Security Bloggers Network blog from Blog Archive – PreVeil written by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/understanding-nist-800-171-what-it-means-for-your-organization/