It’s imperative for all small and medium-sized enterprises (SMEs) to take measures to protect company data and assets as cybercrime and industrial espionage evolves. SMEs that partner with the government have an even greater incentive to focus on security, because they often have access to health records, financial statements, patents, and other protected information. This data may not be classified, but it’s still sensitive and must be stored and accessed appropriately.
The U.S. Department of Commerce set out to describe best practices for security resilience via a non-regulatory body called the National Institute of Standards and Technology (NIST). NIST publishes guidelines for organizations that want to engage with the government or adopt the latest and greatest information security standards.
NIST SP 800-171 is a subset of those guidelines, as are several other special publications, including NIST SP 800-53 (risk frameworks) and NIST SP 800-63 (password and identity management guidelines).
NIST SP 800-171 outlines the standards for accessing, storing, and monitoring controlled unclassified information (CUI), according to Executive Order 13556 — the law establishing an open and uniform program for managing CUI. The Biden administration further strengthened federal standards with an executive order issued in May 2021, to establish standard security controls and a strategy for Zero Trust architecture implementation.
CUI is any information the government or an organization contracted with the government creates or owns that must be safeguarded with information security controls. CUI can take the form of personally identifiable information (PII) or unpublished research.
NIST SP 800-171 has had regular updates since its first release in 2015, adding suggested strategies and tactics based on new technologies and emerging cyber threats. By mandating NIST SP 800-171 for all contractors (and their subcontractors), the U.S. government bolsters federal security across its supply chain.
Who Needs a NIST SP 800-171 Compliance Plan?
Because companies that work with the government have the potential to handle, transfer, or modify classified or controlled unclassified information, they must have airtight data processing, storage, and security plans.
Examples of organizations that should be NIST SP 800-171 compliant are:
- Educational or research institutions
- Consulting firms
- Manufacturers
- Communications providers
- Financial services firms
- Healthcare data processors
- System integrators
How Do I Implement NIST SP 800–171?
There are 110 security requirements in NIST SP 800-171, organized into 14 different groups. Because each “family” has compliance conditions, many companies use the broader categories as milestones in their NIST SP 800-171 implementation plan.
What Should I Include in the Plan?
Before you begin to tackle the 14 areas of requirement in NIST SP 800-171, you should define the type(s) of CUI your company manages. CUI could be:
- Bank account numbers
- Credit card numbers
- Technical plans
- Social security numbers
- Resident status
- Statistical information (such as U.S. Census data)
Next, identify where you plan to store that CUI and who will access it. Forward-thinking IT and security teams may already have implemented a least-privilege or Zero Trust security model to ensure that only certain people can access certain data at certain times. In addition to having those models in place, you should have a reporting tool to determine who has viewed, shared, downloaded, or forwarded this data at any time.
Then, figure out how you can monitor any changes to CUI. Part of achieving NIST SP 800-171 compliance is being able to track and respond to any security incidents, and that means you need to pinpoint any suspicious or irregular behavior in real time. Remember that you’ll need an audit trail for root cause analysis and reporting incidents to government bodies.
Areas of Requirement for NIST SP 800-171
At a more granular level, your plan must address all 14 areas of requirement, described in detail below.
- Access controls: Only authorized users should be able to access networks and systems that house CUI. This applies broadly, from servers to laptops to phones, to devices, and even to routers, and involves implementing contextual access controls.
- Awareness and training: Companies need to educate their staff on cybersecurity threats in the context of CUI and teach them best practices to minimize risk. Employees should be able to identify incidents when they happen and report them to the right people who can triage and address the root cause of the issue.
- Auditing and accountability: For NIST compliance, companies need to know who is responsible for managing CUI and who is accessing it at any point in time. This is where an audit log comes in handy — companies can use it to hold people accountable for proper CUI storage, processing, and handling. Continuously reviewing these logs can help IT and security teams find and address vulnerabilities early and often.
- Configuration management: NIST has guidelines for maintaining secure configurations across software, hardware, and firmware. NIST-compliant companies regularly update these devices and applications while restricting employees from installing unauthorized software or programs.
- Identification and authentication: This area of requirement focuses on managing authentication and permissions. You need to be able to track every single user that attempts to access any system at any time. At the same time, you should be safeguarding CUI with authentication tools like MFA or biometrics and relevant password policies.
- Incident response: Every NIST-compliant company has step-by-step instructions for preserving CUI when responding to a security incident. This plan should incorporate data collection, analysis, problem containment, communication, and service restoration.
- Maintenance: The scope of CUI that companies manage can grow over time, necessitating ongoing security and change management programs. Consistently updating your cybersecurity protocols, tracking external maintenance, and following NIST’s other system and network maintenance best practices can get you on the right track.
- Media protection: Sometimes, companies need to store CUI on external drives, thumb drives, CDs, and other equipment. All of these systems need NIST-compliant protection and monitoring. And if any devices are tampered with, the company needs to follow a standard protocol for sanitizing and destroying them.
- Personnel security: All staff must be screened before joining any government project. And if any employee decides to leave a project or is formally discharged, companies need to protect the CUI that the individual managed — revoking building passes and recovering any hardware in their possession.
- Physical protection: Only authorized personnel should be able to access the physical areas where CUI exists. Locking rooms with sensitive files or devices with facial recognition, fingerprint scanners, or PIN codes can help.
- Risk assessment: NIST-compliant companies perform frequent pen tests to develop a CUI risk profile and patch vulnerabilities before full-blown problems arise. Doing this on a continual basis strengthens a company’s entire security system.
- Security assessment: You’ll need a way to demonstrate that your security procedures are working properly. To do this, you’ll need a monitoring system to show the security controls you’ve implemented, how they are being used, and their effectiveness.
- System and communications protection: CUI can be transmitted in any form of communication — email, fax, text, or instant message. Any time CUI is transmitted, it must be encrypted.
- System and information integrity: The last NIST requirement concerns malware and other malicious code. Companies need a way to identify, report, and repair system flaws or flag suspicious behavior in real time.
How Do I Start Working Toward Compliance?
Those 14 categories can feel like a long list, but you may already have some of the right security measures in place. The best place to start working toward NIST compliance is to establish a baseline.
Where are you at with each of the 14 areas of requirement at this time?
Do you need to beef up your employee education? Perhaps you need a new continuous monitoring system or one with better reporting. Or maybe you need to install a new physical security system.
You must provide documentation during a NIST SP 800-171 compliance assessment, so you might as well list the controls and requirements you’ve already met. Make it easy to find information regarding processes, data storage and flow, network architecture, and training.
Once you take stock of what you already have, it’s time to dive into what you might be missing. Write down any gaps you need to fill and start brainstorming ways to fill them. If you are having trouble, you can hire a NIST consulting partner to help create an exhaustive list.
This extra help is especially useful if your company wants to work with the Department of Defense. Companies in that position must take their security further by meeting the Cybersecurity Maturity Model Certification (CMMC) security framework.
After compiling all of this information, it’s time to formalize your security plan. It should outline all of the policies and steps you’re taking to address the 14 areas of requirement, including formulating and publishing a remediation plan. Finally, create a timeline for filling in the remaining gaps and assign tasks to the right teams to move your NIST compliance project forward.
What Are the Consequences of Non-Compliance?
If you collaborate with a government agency and do not comply with NIST SP 800-171, your contract will likely be stopped, unrenewed, or immediately terminated. Exposing CUI can be extremely dangerous, opening the door to malware, ransomware, and phishing attacks that would bring government operations to a halt.
Depending on the severity of the case, the government may recover damages for a breach of contract. Or, if that government organization does a deeper investigation and finds out your company was dishonest about NIST compliance, you could be charged with criminal fraud.
How Do I Prepare for a NIST SP 800-171 Assessment?
There are no certificates or third-party audits to verify that a company is NIST SP 800-171 compliant; companies prove they are compliant via self-assessment. Within your self-assessment, you need to provide evidence that you’ve addressed all of the controls associated with the NIST SP 800-171’s 14 areas of requirement.
We’ve already talked about creating a plan to identify the security requirements you do have and tackle the ones you don’t. But as you prepare for a NIST SP 800-171 self-assessment, you should also:
- Assemble a team: There is no way to achieve NIST SP 800-171 without the help of a dedicated team. Pull IT and Infosec team members together, and clarify their roles and responsibilities in the self-assessment.
- Communicate your plan across the business: You’ve already developed a plan for NIST SP 800-171 compliance; now you just need to disseminate it. Getting employees and leadership onboard with your plan will improve understanding of and cooperation with new policies.
- Make a contact list: Create a list of everyone involved in the government project, including system admins and infosec specialists operating in the background. This makes it easy for government partners to know who to contact if they have questions about the assessment or if a security issue pops up in the future.
- Gather your proof: Now is your time to be comprehensive. Gather every piece of evidence your government partner could need: system architecture maps, security policy documents, pen test audit logs, and other system manuals and records.
- Write your statements: Once you’ve collected your documentation, write a statement about each control and how that documentation demonstrates your compliance. If you have not yet met a certain requirement, outline how you plan to achieve it.
- Add everything to a System Security Plan (SSP): Formalize your documentation and write-ups in a complete System Security Plan that you can deliver to your government partners, and be prepared for them to ask questions.
While you can stop at creating this self-assessment, many organizations choose to obtain a Level 3 Cybersecurity Maturity Model Certification. These certifications are awarded by a certified third party that conducts a deep dive into your System Security Plan. Because CMMC Level 3 has more in-depth requirements than NIST SP 800-171, government partners will assume NIST SP 800-171 compliance.
Eliminate the Complexity of Compliance with JumpCloud
Implementing all the controls you need for NIST SP 800-171 is hard enough; maintaining them over time is even tougher. Today’s organizations face a complex web of compliance requirements and need a tool to help them manage their security.
JumpCloud simplifies compliance and security management, giving security admins a bird’s-eye view into the organization and the capacity to dive into the details. JumpCloud makes it easy to enforce security policies and identify vulnerabilities while helping admins identify opportunities for greater operational efficiency and cost savings.
JumpCloud is an open directory platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys.
The platform treats identities as the new perimeter, and password management is one element of that. Secure, frictionless access is fundamental for IT organizations, and is why JumpCloud ensures that every resource has a best way to connect to it. For example:
- Servers use SSH keys, which are more secure than passwords
- Passwordless certificates can secure RADIUS Wi-Fi access
- Web applications use SAML and OIDC for authentication
- Conditional access rules for privileged access management
Want to learn more about how to establish data hygiene in your organization? Download The IT Manager’s Guide to Data Compliance Hygiene.