NIST 800-171 Compliance Made Easy
If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., contractors) to comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches. It also provides a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs, tailored to non-federal systems, allowing non-federal entities to comply and consistently implement safeguards for the protection of CUI. When it comes down to it, NIST 800-171 rev 1 is designed to address common deficiencies in managing and protecting unclassified information to include inconsistent markings and inadequate safeguarding.
Not sure what CUI is or if you have CUI on your network? Go to the US Government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
Click here for a FREE GUIDE
We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.
NIST 800-171 Scoping Considerations
When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS).
From the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the CDE, which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
Key Assumptions For NIST 800-171 That Impact Scoping
NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.
Background on NIST 800-171 Rev 1 Controls
Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been
built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.
NIST 800-171 requires private companies to protect the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government / DoD contractors), as it applies to:
- When CUI is resident in non-federal information systems and organizations;
- When the non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating an information systems on behalf of an agency; and
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply only to components of non-federal information systems that process, store, or transmit CUI, or that provide security protection for such components.
The good news is that ComplianceForge can help you with your compliance needs! We have affordable solutions that range from the NIST 800-171 Compliance Criteria (NCC) all the way to providing you with comprehensive cybersecurity policies and standards, such as the NIST 800-53 Written Information Security Program (WISP).
NIST 800-171 Compliance Criteria - Compliance Made Easy & Affordable!
We listened to our customers and we created a product specific to NIST 800-171 compliance. We had an overwhelming request from companies to help them become "NIST 800-171 compliant." Most have told use they do not know where to start, but they just know that this is a requirement they cannot run from.
The concept is pretty simple - the NCC goes through each NIST 800-171 requirement and maps it to the corresponding NIST 800-53 rev 4 controls. Each of those NIST 800-53 controls is explained as to what reasonably-expected criteria would be to meet that control. Additionally, the NCC provides applicable "best practice" guidance on what steps you need to take in order to comply. That is exactly what you would expect from a dedicated consultant!
Example NIST 800-171 Compliance Criteria (NCC) Template
Don't take our word for it - take a look at the example NIST 800-171 Compliance Criteria (NCC) worksheet to see for yourself the level of professionalism and detail that went into it.
Microsoft Excel Spreadsheet - NIST 800-171 "Consultant In A Box" Solution!
If you can use Microsoft Excel, then you can use the NCC to understand your requirements for compliance with NIST 800-171. There is no magic to it - it is a fully-editable Excel spreadsheet that contains exactly what a consultant will tell you:
- NIST 800-53 rev4 mapping to NIST 800-171 requirements.
- Reasonably-expected criteria to address the NIST 800-53 control.
- Applicable "best practice" guidance on what steps you need to take to be compliant.
- Self-assessment options to track where you are compliant and what needs work.
NIST 800-171 Compliance Through A NIST 800-53 Rev4-Based Cybersecurity Program
US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and nonfederal organizations (e.g., government contractors), as it applies to:
- When CUI is resident in nonfederal information systems and organizations;
- When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry
The NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The good news is that ComplianceForge can help you with your compliance needs!
Controlled Unclassified Information (CUI) - Understanding NIST 800-53 rev 4 MODERATE Controls
Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53 rev4? The good news is our NIST 800-53 based Written Information Security Program (WISP) has the documentation you need to comply with MODERATE baseline controls.
The CUI requirements developed from the tailored FIPS Publication 200 security requirements and the NIST 800-53 moderate security control baseline represent a subset of the safeguarding measures necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies,
The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST 800-53, with respect to the protection of the confidentiality of CUI in nonfederal information systems and organizations. Appendix D provides informal mappings of the CUI security requirements to the relevant security controls in NIST 800-53 and ISO/IEC 27001. The mappings are included to promote a better understanding of the CUI security requirements and are not intended to impose additional requirements on nonfederal organizations.
For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. The families are closely aligned with the minimum security requirements for federal information and information
systems described in FIPS Publication 200. The contingency planning, system and services acquisition, and planning requirements are not included within the scope of this publication due to the aforementioned tailoring criteria.
Address NIST 800-171 Compliance With The NIST-based Written Information Security Program (WISP)
The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework and it can help your organization become compliant with NIST 800-171 requirements
This NIST-based WISP is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the NIST 800-53 rev4-based policies, control objectives, standards and guidelines that your company needs to establish a robust cybersecurity program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs.
NIST 800-53 is the de facto standard for cybersecurity requirements that is issued by the US government. Therefore, government agencies, defense contractors, telecom service providers, health care providers, financial companies or any organizations that contract with the government tend to adopt NIST-based best practices over all other frameworks, based on regulatory requirements.
You can see an example of the NIST 800-53 WISP here.
What Does NIST 800-171 Require?
NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI. The families are aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements.
Appendix D of NIST 800-171 maps requirements to both NIST 800-53 rev4 and ISO 27002:2013 best practices. Only NIST 800-53 offers complete coverage for NIST 800-171 requirements.
Does Compliance with ISO 27001/27002 Equal Compliance with NIST 800-171?
No. Compliance with ISO 27001/27002 does not meet the requirements of Special Publication 800-171. In fact, NIST 800-171 (Appendix D) contains maps how the CUI security requirements of NIST 800-171 map to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 frameworks do not fully satisfy the intent of NIST 800-171.