​Scoping NIST 800-171 - Use PCI DSS As A Guide

Posted by

Managing NIST 800-171 Scoping 

If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., contractors) to comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches. It also provides a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs, tailored to non-federal systems, allowing non-federal entities to comply and consistently implement safeguards for the protection of CUI. 

When it comes down to it, NIST 800-171 is designed to address common deficiencies in managing and protecting unclassified information to include inconsistent markings and inadequate safeguarding. That isn't much different than what PCI DSS is intended to do for securing cardholder data.

Roadmap - Use PCI DSS Scoping Guidance  

When you look at NIST 800-171 compliance, it has some similarities to PCI DSS. If scoping is done poorly, the Cardholder Data Environment (CDE) can encompass a company's entire network, which means PCI DSS requirements apply uniformly throughout the entire organization. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is designed intelligently with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. NIST 800-171 should be viewed in the same manner.

An interesting place to start thinking about minimizing scope for NIST 800-171 is reading the Open PCI DSS Scoping Toolkit, since it is a great methodology to categorize systems as to how those components impact the CDE. The same logic can be applied to segmenting and protecting CUI within your network for NIST 800-171 compliance.

Key Assumptions For NIST 800-171 That Impact Scoping

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for nonfederal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.

Considerations that impacted the development of CUI security requirements and the expectation of federal agencies in working with contractors include:

  • Contractors have IT infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI;
  • Contractors have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements;
  • Contractors can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and
  • Contractors may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement.
  • Background on NIST 800-171 Controls

    Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.

    NIST 800-171 Compliance Criteria (NCC)

    If you are looking for help getting compliant with NIST 800-171, please check out our NIST 800-171 Compliance Criteria product, since it provides you with quality guidance on how to comply with this requirement. These are the same points you would get from paying $12k+ for a consultant to explain the requirements to you. Even better, the NCC works with our NIST-based Written Information Security Program (WISP), so you can jump-start your compliance program to quickly and inexpensively become compliant with NIST 800-171.

    Announcing The NIST 800-171 Compliance Criteria (NCC)

    We listened to our customer needs for guidance on becoming compliant with NIST 800-171, so we created the NIST 800-171 Compliance Criteria (NCC) product. This took considerable time to develop and contains expectations and recommendations that a for-hire consultant would offer you. If you are just starting out on the path to become compliant with NIST 800-171, [...]

    Read More »

    FTC - Data Security Considerations for "Unfair" Business Practices

    Section 5 of the Federal Trade Commission Act (FTC Act) (15 USC 45) prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’ The prohibition applies to all persons engaged in commerce - this includes online retailers or any business that maintains sensitive consumer information.In the data security context, the FTC has gone after companies [...]

    Read More »

    Cybersecurity Risk Assessment Template

    We are very pleased to announce that our Cybersecurity Risk Assessment Template is now available!We listened to our customers and we delivered - a simple, professional solution that will allow risk assessments to be performed without having to buy specialized tools or hiring expensive consultants. What we did was modify templates that we use for our [...]

    Read More »

    Customized Cybersecurity Policies & Standards

    Ignorance is neither bliss, not is it an excuse! That is a simple fact to keep in mind when you evaluate your information security program. Is it sufficient? Are we doing what a "reasonable person" would expect?In 2005, we started selling customized information security policies that could be downloaded from the Internet. We were the [...]

    Read More »

    Understanding Compliance Needs

    Understanding information security compliance requirements can be complex and the heavy lifting has already been done by cool feature that offers with its Written Information Security Program (WISP) and PCI DSS Data Security Policies & Standards solutions is reference material that can help you understand your scoping. Within the WISP and PCI DSS [...]

    Read More »

    Why You Need To Be Compliant

    Compliance with information security laws and contractual obligations can be daunting. Turning to professionals who understand information security best practices helps reduce the chance of negligence.Information security compliance is a broad topic and means different things to people, depending on what industries they work in and the scope of their customer and partners. For some, [...]

    Read More »