NIST SP 800-171 outlines security standards and practices for non-federal organisations that handle CUI (Controlled Unclassified Information) on their networks.
NIST 800-171 has received regular updates due to persistent cyber threats and ever-changing technologies. The most recent version, called revision 2, was released in February 2020.
NIST is a non-regulatory federal agency responsible for establishing guidelines that apply to federal agencies on many topics, such as cyber security.
Achieving NIST SP 800 171 compliance is crucial. If you want to deal with Government agencies then it is a requirement. ISMS.online offer NIST SP 800 171 compliance software solutions that can be tailored to your organisation’s needs.
National Institute of Standards & Technology Special Publication 800-171 requires any organisation that processes or stores sensitive, unclassified information for the US government to be compliant with the cyber security standard.
NIST 800-171 is designed to safeguard CUI in the IT networks of government contractors & subcontractors.
NIST 800-171 reinforces the security of the whole federal supply chain by defining requirements for contractors who handle sensitive government information. It ensures a unified baseline cyber security standard for all contractors and their respective contractors.
NIST 800-171 requires a few agencies and organisations to comply with it, these are:
We’re so pleased we found this solution, it made everything fit together more easily.
NIST 800-171 can seem like a hard requirement at first (it’s not – your organisation will master it in no time!), but there are benefits that an organisation can get from implementing all the required controls, these are:
Controlled Unclassified Information (CUI) is information created or owned by the government that is not classified. Patents, technical data, or information relating to manufacturing or acquiring goods and services might be included.
A CUI is an umbrella term that covers many different markings to identify information that is not classified but should be protected. These are:
Although CUI is not classified information, it can still lead to negative national security and economic consequences. Failure to comply with NIST 800-171 requirements can result in loss of contracts, lawsuits, fines and reputational damage. ISMS.online can help you comply with NIST SP 800-171 requirements with a variety of pre-built frameworks you can choose to adopt, adapt or add to depending on the unique needs of your organisation.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Compliance and security protocols must be created for 14 critical areas by contractors who need access to CUI.
The 14 key areas are explained below.
Twenty-two different requirements help to ensure only authorised users can access the system. Provisions protect the flow of sensitive information within the network and provide guidance on network devices in the system.
There are three requirements for the awareness and training section. It is required that system administrators and users are aware of security risks (and their related cyber security procedures) and that employees are trained to carry out security-related roles.
Nine requirements focus on auditing and analysing system and event logs. Best practice analysis and reporting can be done with reliable audit records. Cyber security incidents can be mitigated by regular review of security logs.
The proper configuration of hardware, software, & devices is covered in nine requirements. Unauthorised software installation and the restriction of non-essential programs are part of this family of requirements.
The organisation’s network or systems can only be accessed by users who are authorised to be there. There are 11 requirements to ensure that the distinction between privileged and non-privileged accounts is reflected in network access.
There are three requirements for the organisation to respond to severe cyber attacks. Procedures are in place to detect, contain & recover incidents within the organisation. Regular testing of capabilities is part of proper training and planning.
There are six requirements for insight into best practice systems & network maintenance procedures. Includes the performance of regular system maintenance & making sure external maintenance is authorised.
Organisations can control access to sensitive media with the help of nine security requirements. Storage and destruction of sensitive information and media in both physical and digital formats are required by the requirements.
Concerning personnel security and employees, two security requirements need to be fulfilled. The need for security screening of individuals before accessing systems that contain CUI is covered in the first. The second makes sure that CUI is protected during the transfer of personnel, including the return of building passes or hardware.
Six security requirements deal with the subject of physical access to CUI within an organisation, including the control of guest access to work sites. Hardware, devices & equipment must be limited to authorised personnel.
There are two requirements for the performance and analysis of regular risk assessments. Keeping network devices & software updated and secure is one of the things that organisations are required to do. It is possible to improve the entire system’s security by highlighting and strengthening vulnerabilities.
There are four requirements for the renewal of system controls and security plans. By regularly reviewing security assessment procedures, vulnerabilities are highlighted and improved. Plans to safeguard CUI remain effective with this.
There are 16 requirements for the monitoring and safeguarding of systems. Unauthorised information transfer and denial of network communication traffic are required. Requirements include best practice cryptography policies.
There are seven requirements relating to the monitoring and protection of systems. Monitoring of system security alerts and identifying unauthorised use of systems are included.
Book a tailored hands-on session
based on your needs and goals
Book your demo
NIST 800-171 compliance can be proved through a process of self-assessment. It can seem daunting that there are over 100 requirements that need to be met to achieve compliance.
Your organisation should set a straightforward process to execute the NIST 800-171 assessment:
Compliance with NIST 800-171 will be a core part of any contract between the US federal government and a contractor who handles controlled unclassified information on their IT networks.
NIST 800-171 compliance may require diving deep into your networks and procedures to address appropriate security procedures. Failure to comply could affect any dealings with government agencies. If you miss the deadline, you risk losing government contracts.
Complying with NIST standards has a few benefits. The NIST Cybersecurity Framework helps organisations safeguard their sensitive data.
Organisations comply with other government or industry regulations when working towards NIST compliance.
If you’re a federal agency, achieving NIST 800-171 compliance can help meet the requirements of FISMA (Federal Information Security Management Act).
If you’re looking to comply with HIPAA (Health Insurance Portability and Accountability Act) and SOX (Sarbanes-Oxley Act), NIST compliance will help you achieve compliance with HIPAA & SOX as they share many of the same pillars.
Remember, NIST compliance doesn’t always ensure complete security. Complying with NIST and other standards is only the first step. Continuous monitoring for web application vulnerabilities, implementing comprehensive security policies, conducting ongoing employee training to promote cyber security awareness, and more are some of the tasks that need to be done to ensure robust cyber security.
Book a tailored hands-on session
based on your needs and goals
Book your demo
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
ISMS.online is continually evolving to meet the information security, privacy and business continuity needs of organisations across the globe. Achieve NIST SP 800 171 compliance requirements easily with our platform.
ISMS.online comes with a variety of pre-built frameworks you can choose to adopt, adapt or add to depending on the unique needs of your organisation. Or you can easily build your own for bespoke compliance projects.
NIST 800-171 and ISO 27001 share many similarities between the two. NIST 800-171 can be mapped to the international ISO 27001 standard in the key control areas, including:
ISMS.online compliance software can help you map NIST SP 800-171 controls to relevant ISO/IEC 27001 controls. We’ve developed a series of intuitive features and toolsets within our platform to save you time and ensure you’re building an ISMS that’s truly sustainable.
Download our free guide to fast and sustainable certification
The NIST 800-171 self-assessment is a complicated task because it will audit all elements of an organisation’s security systems and network. Preparation is key.
Five core steps to prepare for your NIST assessment:
NIST SP 800-171 was first published in June 2015 and has been updated several times since.
NIST 800-171 has received regular updates to keep up with emerging cyber threats and technologies. The latest version of 800-171, called revision 2, was released in February 2020.
These publications have the same goal of keeping data secure, but they have different guidelines for different areas to accomplish that.
The measures that should be in place to ensure that CUI is handled appropriately is the focus of NIST 800-171, while NIST 800-53 focuses on storing classified data and what security measures should be in place to ensure data is protected.
