The ongoing threat of cyberattacks and a litany of high-profile data breaches underscores the importance of improved security for any information systems dealing with sensitive government information. That’s particularly true of private contractors who work with the DoD and other government agencies but may not be adopting security best practices.

In response, NIST SP 800-171 was developed to create a set of standards to ensure cyber hygiene and the safeguarding of Controlled Unclassified Information (CUI).

123456

What Is NIST SP 800-171?

The National Institute of Standards and Technology (NIST) is a government agency that’s part of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Established in 1901, NIST employs over 2,000 scientists and engineers. It has created thousands of standards and special publications, including NIST SP 800-171, which defines how to protect and distribute Controlled Unclassified Information (CUI) created or possessed by non-federal entities. 

Who Does It Apply To?

Anyone who processes, stores, or transmits CUI for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal and state agencies must meet the standards outlined in 800-171. That includes contract agencies.

123456

What Is CUI?

CUI is at the core of NIST 800-171. It’s the reason the standards were created. Controlled Unclassified Information (CUI) is information that’s unclassified and not strictly regulated by the federal government but is sensitive and needs safeguarding. 

There are numerous categories of CUI that include:

  • Electronic files
  • Emails
  • Email attachments
  • Proprietary information
  • Blueprints
  • Paper files

So what kind of information would be considered sensitive but not be classified? An example might be the design for a widget that was later sold to the military for use in an aircraft. While seemingly insignificant compared to the specifications for a weapons system, it’s not something you’d want falling into the wrong hands, and it should be protected.

Why Does CUI Need Safeguarding?

According to a 2015 New York University study, approximately nine million people work for the federal government, 40% of whom are private contractors responsible for safeguarding CUI. Like nearly every business, they are under the constant threat of a data breach.

From massive data breaches at Marriott in 2018 and Equifax in 2017 that compromised hundreds of millions of accounts to the 2013 Yahoo! breach that involved all of its three billion users, the scale and severity of cyberattacks has escalated over the past decade. That includes notable breaches involving DoD contractors.

Contractors in the Crosshairs

2018 Navy Project “Sea Dragon”

Chinese government hackers compromised a contractor working for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I. that conducts research and development for submarines and underwater weaponry. The 614GB of material stolen included project details, sensor data, and cryptographic systems information – highly sensitive data housed on an unclassified network.


2018 DoD DTS Employee Information

Hackers compromised a DoD contractor responsible for employee travel records. As many as 30,000 employees were potentially affected, with personal information compromised including credit card data.

passports

 

Although federal information systems were regulated by NIST 800-53, until 800-171 no such standards existed for commercial contractors that support the DoD and other government agencies. Cyber attackers were targeting these smaller businesses, which typically allocate a smaller budget (if any) to security, making them vulnerable to breaches. 

With NIST 800-171, the U.S. government made it difficult for hackers to access sensitive information that federal contractors handle by establishing standards that define how to safeguard CUI.

123456

NIST 800-171 Categories and Controls

The NIST Cybersecurity Framework (of which SP 800-171 is part of) covers five elements:

Cybersecurity Framework

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. 

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

NIST SP 800-171 was formed through a combination of FIPS 200 and NIST SP 800-53. It contains 110 security controls across the following 14 categories, and covers both administrative and technical categories: 

  • 3.1 Access Control
  • 3.2 Awareness and Training
  • 3.3 Audit and Accountability
  • 3.4 Configuration Management
  • 3.5 Identification and Authentication
  • 3.6 Incident Response
  • 3.7 Maintenance
  • 3.8 Media Protection
  • 3.9 Personnel Security
  • 3.10 Physical Protection
  • 3.11 Risk Assessment
  • 3.12 Security Assessment
  • 3.13 System and Communications Protection
  • 3.14 System and Information Integrity

The following chart shows a breakdown of the NIST 800-171 categories and the type of response they fall into.

Implementing NIST SP 800-171

Like all things government, the specific security controls addressed within each 800-171 category can be confusing. That’s why we’ve created a helpful guide that uses simple and direct language to clearly spell out what is required within each control.

Within the controls, several typically require third-party software to achieve compliance. However, it’s important to note that not all of the categories are IT related – some address physical security, personnel, and awareness and training – so be wary of anyone selling a 100% software-based NIST compliance package.

NIST SP 800-171 Controls Explained

Don't Speak Government?
Here Are the Controls Simplified

View the Controls ›

123456

A Requirement, Not an Option

Due to the sensitivity of the information at risk, and the persistent threat of a breach, NIST 800-171 was crafted as a requirement for all government contractors to adopt. 

DFARS 252.204-7012 (b)(2)(ii)(a) requires that contractors “…implement NIST SP 800-171, Protecting CUI in Nonfederal Systems and Organizations, as soon as practical, but not later than December 31, 2017.”

Furthermore, verbiage was added to DoD contracts stating that by submitting a response to the RFP, contractors certify that they are compliant with NIST 800-171 – and noncompliance could result in failure to obtain the contract or loss of a contract, as well as removal from the DoD Approved Vendor list. 

But while NIST 800-171 was drafted as a requirement, government contractors only had to self-attest that they were in compliance with the standards or were actively working toward meeting them.

From Self-Verification to Mandatory Audits

Since the NIST SP 800-171 guidelines were released, a majority of private contractors have ignored the NIST guidelines. Although they were required to meet the standards, the lack of a third-party auditing protocol meant contractors could state they were compliant and win a contract without following through on the requirements. 

For that reason, the DoD announced in 2019 that all contractors had 18 months to become compliant. At the end of that window, every private contractor working with the DoD would be subject to audit. Those found to be noncompliant not only risk losing current contracts but also will be unable to secure any future contracts.

Why the sudden change? It’s actually not that sudden. The original deadline to become NIST compliant was in December 2017, but no one took it seriously, including the DoD. Since then, hundreds of smaller data breaches have occurred within the private contractor community.

As of February 2018,

around 8% of private contractors reported a data breach at least one time since 2016. In many of those cases, there were multiple breaches. That means personal information for nearly 300,000 employees was compromised.

 

Even more concerning is the possibility that bad actors accessed sensitive CUI. In fact, there are reports that adversaries of the United States have developed military equipment from stolen design data.

CMMC

In response to the failure of self-assessment, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) announced the Cybersecurity Maturity Model Certification (CMMC), a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data.

Built in part from NIST 800-171 and other cybersecurity frameworks, the CMMC is set to take effect in January 2021. At that time, any organization intending to do business with the DoD will be subject to a mandatory audit to obtain CMMC certification before a contract is awarded.

Though it would ostensibly seem that CMMC will be replacing NIST 800-171, it’s important to note that the two are not interchangeable. While both NIST 800-171 and CMMC primarily focus on CUI, NIST 800-171 also addresses 63 Non-Federal Organization (NFO) controls. So CMMC certification will not ensure NIST compliance.

Furthermore, although CMMC is moving quickly, it could take a few years for it to be fully implemented. During that time, and until all of the details pertaining to CMMC become clear, it will be important to demonstrate compliance with 800-171.

NIST 800-171 Compliance Webinar

Learn Why NIST 800-171 Is Critical for DoD Contractors

123456

Getting Started

Becoming NIST compliant is an ongoing process. You must continuously assess, design, deploy, and manage your systems. You need to:

  • Assess your current security controls
  • Design required changes within your systems
  • Deploy those changes within your system and enforce your new policies
  • Manage the system continuously

However, you can create two essential documents – a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) – to satisfy separate NIST controls:

SSP System Plan SecurityPOA&M Plan of Action and Milestones

Start by creating your SSP in a simple Excel document that outlines each control. Then go through each one and answer how you’ve implemented the control and whether it satisfies the requirement. If you currently do not satisfy the control, it goes into your Plan of Actions and Milestones (POA&M).

Example of an SSP NIST SP 800-171 Security Requirement

A POA&M is a key document that describes the current status of any vulnerabilities and the actions to be taken to correct them. It facilitates a disciplined and structured approach to tracking risk mitigation activities. The POA&M should include findings from regular ongoing monitoring as well as periodic security assessments, such as the annual assessment.

Example of a POA&M NIST Compliance 800-171 Control List

 

123456

5 Tips: Preparing
for a NIST Assessment

icon-warning

What should you do if there's a potential compliance breach?

Contact the Department of Defense and begin a security incident report at https://dibnet.dod.mil/portal/intranet.

Identify any information that may have been lost or compromised as well as any computers, data, or accounts that may have been affected.

A professional assessment can be an effective tool for achieving NIST 800-171 compliance and identifying any gaps that need to be addressed. A thorough assessment evaluates your current security state, shows where you successfully meet criteria, and highlights where changes need to be made. 

In preparation for an assessment, it’s important to have senior management involved and ready to work together. Preparation should include:

  1. Determining what key employees need to be involved. While not every employee will need to be involved in the assessment, most of your management team likely will. The requirements within NIST 800-171 affect policies, configuration, software, and hardware.
  2. Identifying your current security policies. Look at your current policies and see what you already have in place, where you’re lacking, and what could use improvement.
  3. Ensuring all employees understand the current policies. Do your employees know how to handle CUI, CDI, and any sensitive information within your organization? Even if your employees have been presented with this information, they may need a refresher or have questions on some of the policies that you will need to clarify. This includes everyone from management to your IT department and administrative staff.
  4. Collecting materials to provide to the assessment team. Whether you are doing your assessment in-house or working with an outside company, you will need to compile all materials for the assessment team. These materials include policies, procedures, plans, designs, records, manuals, information system documentation, and legal requirements.
  5. Establishing time frames for completing assessments. Once you have everything you need ready to complete the assessment, you should put due dates on when each part of the assessment will be completed and then stick to them to ensure you’re on the track to compliance.

The Benefits of Professional Guidance

Because contractors had the ability to self-verify for NIST 800-171, it led many to believe that they could navigate the entire compliance process alone. However, due to the sensitivity of the information involved and the seriousness of a breach, it’s wise to work alongside a partner with expertise in NIST 800-171 compliance.

Achieving (and maintaining) NIST compliance is an exhaustive and ongoing process. An expert will be able to guide you through both the implementation of the standards and continued compliance. 

Implementing Compliance

  • Assessing your environment
  • Generating your initial SSP and POA&M
  • Designing required system and policy changes
  • Deploying required changes

Continuing Compliance

  • Using Security Incident and Event Management (SIEM) 
  • Updating the SSP and POA&M
  • Enforcing new policies
  • Assisting with system audits

The risk and repercussions associated with a cybersecurity attack are too severe to tackle NIST or CMMC compliance alone. And with authorized audits becoming a mandatory part of certification and a prerequisite for being awarded a contract, any gap or lapse could result in lost revenue. 

For the benefit of your business, and the country, it’s best to consult with an expert.

Need Help With NIST?
Get Compliant in as Few as 30 Days

Work With Us ›

Need Help With NIST?