​Scoping NIST 800-171 - Use PCI DSS As A Guide

Posted by ComplianceForge on Dec 7th 2016

Managing NIST 800-171 Scoping 

If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., contractors) to comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches. It also provides a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs, tailored to non-federal systems, allowing non-federal entities to comply and consistently implement safeguards for the protection of CUI. 

When it comes down to it, NIST 800-171 is designed to address common deficiencies in managing and protecting unclassified information to include inconsistent markings and inadequate safeguarding. That isn't much different than what PCI DSS is intended to do for securing cardholder data.

Roadmap - Use PCI DSS Scoping Guidance  

When you look at NIST 800-171 compliance, it has some similarities to PCI DSS. If scoping is done poorly, the Cardholder Data Environment (CDE) can encompass a company's entire network, which means PCI DSS requirements apply uniformly throughout the entire organization. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is designed intelligently with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. NIST 800-171 should be viewed in the same manner.

An interesting place to start thinking about minimizing scope for NIST 800-171 is reading the Open PCI DSS Scoping Toolkit, since it is a great methodology to categorize systems as to how those components impact the CDE. The same logic can be applied to segmenting and protecting CUI within your network for NIST 800-171 compliance.

Key Assumptions For NIST 800-171 That Impact Scoping

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for nonfederal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.

Considerations that impacted the development of CUI security requirements and the expectation of federal agencies in working with contractors include:

  • Contractors have IT infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI;
  • Contractors have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements;
  • Contractors can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and
  • Contractors may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement.
  • Background on NIST 800-171 Controls

    Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.

    NIST 800-171 Compliance Criteria (NCC)

    If you are looking for help getting compliant with NIST 800-171, please check out our NIST 800-171 Compliance Criteria product, since it provides you with quality guidance on how to comply with this requirement. These are the same points you would get from paying $12k+ for a consultant to explain the requirements to you. Even better, the NCC works with our NIST-based Written Information Security Program (WISP), so you can jump-start your compliance program to quickly and inexpensively become compliant with NIST 800-171.