This guide helps companies identify assets within scope of NIST 800-171
When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS).
The reason we believe there are similarities is when you look at it from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
Not Sure Where To Start With NIST 800-171 Compliance?
If you are not sure where to start, we put together a few short videos with some helpful guidance on how to get on the path to compliance with NIST 800-171. If you want to learn more about NIST 800-171 requirements, such as how to define Controlled Unclassified Information (CUI) and how to minimize scoping, we recommend pouring yourself a cup of coffee and watching the following videos. If you have questions, please contact us since NIST 800-171 is a topic we have a great deal of experience with.
Tripwire's State of Security Blog
ComplianceForge was honored to have the chance to write an article for Tripwireon the topic of NIST 800-171 compliance. You can read the article here.