NIST 800-171 Compliance - Where Do I Start?
ComplianceForge is here to help make NIST 800-171 compliance as easy and as affordable as possible. We specialize in compliance-related cybersecurity documentation and we are an industry leader in providing solutions to support NIST 800-171 compliance efforts. Over the last year, we've spent a considerable amount of time building material to help educate businesses on NIST 800-171.
This page is a consolidation of free resources to help you get educated on DFARS 252.204-7012 and NIST 800-171 compliance.
Understanding DFARS 252.204-7012 (NIST 800-171) compliance requirements
ComplianceForge was honored to have the chance to write an article for Tripwire on the topic of NIST 800-171 compliance. You can read the article here, since that is a fantastic starting point to gain an understanding of how DFARS 252.204-7012, NIST 800-171 and NIST 800-53 all relate. It also covers the issues of non-compliance for companies that fail to meet the December 31, 2017 deadline.
Not Sure Where To Start With NIST 800-171 Compliance?
If you are not sure where to start, we put together a few short videos with some helpful guidance on how to get on the path to compliance with NIST 800-171. If you want to learn more about NIST 800-171 requirements, such as how to define Controlled Unclassified Information (CUI) and how to minimize scoping, we recommend pouring yourself a cup of coffee and watching the following videos. If you have questions, please contact us since NIST 800-171 is a topic we have a great deal of experience with.
NIST 800-171 Compliance Scoping Guide
When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS).
The reason we believe there are similarities is when you look at it from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
Click here for a FREE GUIDE
FAR vs DFARS - Picking Between ISO and NIST 800-53 Frameworks
NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. This means that only the NIST 800-53 framework is going to meet FAR requirements - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage.
This coming requirement for FAR cybersecurity compliance is specified on page v of NIST 800-171:
Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.
With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government-wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their nonfederal partners, including contractors.
In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on nonfederal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in nonfederal systems and organizations. This approach will help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.
Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies. The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.