NIST 800-171 Compliance Criteria - Microsoft Excel Template

banner-complianceforge-nist-800-171-cybersecurity-compliance-criteria-reasonably-expected-requirements-best-practice-guidance.jpg

NIST 800-171 Rev 1 Compliance Criteria - Compliance Made Easy & Affordable!

We listened to our customers and we created this product, based on the demand. We had an overwhelming request from companies to help them become "NIST 800-171 compliant." Most have told use they do not know where to start, but they just know that this is a requirement they cannot run from.

We put over 60 hours of work into developing this product, which means if you were to hire a consultant to provide you with this same guidance, you would be looking at around $12,000 in consulting fees. We are selling this product for less than 15% of that cost, which is equivalent to hiring a consultant for just a few hours of their time. This makes the NIST 800-171 Compliance Criteria an absolutely fantastic deal! Our staff can provide expert consulting services on NIST 800-171. However, if you are starting off on the journey to comply with NIST 800-171, then our NIST 800-171 Compliance Criteria (NCC) solution is most likely your most cost-effective and overall best option.

The format even allows you to perform a self-assessment to identify the areas where your program is weak and need to focus resources. The concept is pretty simple:

  • The NCC goes through each NIST 800-171 requirement and maps it to the corresponding NIST 800-53 rev 4 controls.
  • Each of those NIST 800-53 controls is explained as to what reasonably-expected criteria would be to meet that control.
  • There are proposed methods to address the requirement (e.g., GPOs, policies & standards, SOPs and applicable technologies).
  • Additionally, the NCC provides applicable "best practice" guidance on what steps you need to take in order to comply.

That is exactly what you would expect from a dedicated consultant! This Excel-based spreadsheet provides you with an easy format to work with auditors to walk through all of the NIST 800-171 controls and allow you to demonstrate what you are doing or how controls may not be applicable to your business model. When it comes to getting ready for an audit, clear & concise documentation is half the battle!

Not sure what CUI is or if you have CUI on your network? Go to the US Government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry

  What Problem Does The NCC Solve?  

  • Lack of In House Security Experience - Most prime and sub-contractors lack specialized expertise in NIST 800-171. Tasking your managers, IT personnel or security staff to research and write comprehensive documentation is not a wise use of their time. The NCC is an efficient method to obtain comprehensive guidance on NIST 800-171 compliance requirements.  
  • Expense of External Consultants - Most small contractors cannot afford tens of thousands of dollars in consultant fees to help become compliant with NIST 800-171. The NCC is designed with affordable compliance in mind, since it focuses on clearly calling out reasonably-expected security requirements, as well as possible technology solutions, where applicable. 
  • Audit Failures - Without being able to demonstrate compliance with NIST 800-171, your organization will lose government contracts- it is as simple as that. The NCC is a tool that can jump start your organization towards being compliant with NIST 800-171 requirements. 

 How Does the NCC Solve It?  

  • Clear Documentation - The NCC is a Microsoft Excel spreadsheet, so it is editable for your needs. It provides not only guidance, but a method to track compliance. This can be helpful when filtering requirements to focus on the areas that need help.
  • Time Savings - It took well over 60 hours of a cybersecurity professional's dedicated time to create the content in the NCC. The time savings are immense, as compared to writing it yourself!
  • Alignment With Leading Practices - The DSP is directly mapped to NIST 800-53 rev4 controls. In addition to the mapping, we provide guidance on the reasonable expectations an auditor would look for with the controls.

 

Example NIST 800-171 Rev 1 Compliance Criteria (NCC) Template

Don't take our word for it - take a look at the example NIST 800-171 Compliance Criteria (NCC) worksheet to see for yourself the level of professionalism and detail that went into it.

download-example-nist-800-171-compliance-criteria-worksheet.jpg

Useful Tool For NIST 800-171 Scoping 

The NCC is a fantastic tool to perform a requirement-by-requirement assessment of what is in scope and what is out of scope. If something is out of scope, you can easily mark the control as Not Applicable and provide justification for that decision in the notes column. From a walk-through perspective with an auditor, nothing beats doing a clear and concise walkthrough to set the stage for what the auditor is going to look at and what is out of scope!

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both. 

When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). If scoping is done poorly, a company's Cardholder Data Environment (CDE) can encompass the enterprise's entire network, which means PCI DSS requirements would apply uniformly throughout the entire organization. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. NIST 800-171 should be viewed in the very same manner.

nist-800-171-compliance-scoping-guide.jpg

Click here for a FREE GUIDE 

We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.

NIST 800-171 Scoping Considerations

When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS).

From the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the CDE, which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.

We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.


Key Assumptions For NIST 800-171 That Impact Scoping

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.

 

Microsoft Excel Spreadsheet - NIST 800-171 "Consultant In A Box" Solution! 

If you can use Microsoft Excel, then you can use the NCC to understand your requirements for compliance with NIST 800-171. There is no magic to it - it is a fully-editable Excel spreadsheet that contains exactly what a consultant will tell you:

  • NIST 800-53 rev4 mapping to NIST 800-171 requirements.
  • Reasonably-expected criteria to address the NIST 800-53 control.
  • Applicable "best practice" guidance on what steps you need to take to be compliant.
  • Self-assessment options to track where you are compliant and what needs work.
  • Use it as a check-list when you walk through with your auditor.
  • Edit if for your needs to show controls that are not applicable to your business model.

 

 

nist-800-171-compliance-criteria.jpg

US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and nonfederal organizations (e.g., government contractors), as it applies to:

  • When CUI is resident in nonfederal information systems and organizations;
  • When the non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating an information systems on behalf of an agency; and
  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply only to components of non-federal information systems that process, store, or transmit CUI, or that provide security protection for such components. 

The good news is that ComplianceForge can help you with your compliance needs! This ranges from understanding what your requirements are with the NIST 800-171 Compliance Criteria (NCC) all the way to providing you with appropriate cybersecurity policies and standards to meet this requirement, such as the NIST 800-53 Written Information Security Program (WISP).

  

 

Sort by:

Sign up for our Newsletter!

×
×