NIST stands for the National Institute of Standards and Technology. NIST 800-171 is a standard of procedures and controls required for contractors or subcontractors to work with Department of Defense (DoD). NIST 800-171 was created to ensure that secure information was kept secure and to help protect Controlled Unclassified Information (CUI). This is used in Non- Federal Information Systems and Organizations. NIST 800-171 is a way to better cybersecurity needs, while allowing the Federal Government to feel at ease knowing that they can continue their business plans. There are in total 110 controls of NIST 800-171.
What is Considered CUI?
Controlled Unclassified Information is basically information that is important to the United States of America, but is not necessarily controlled or monitored by the government. This information needs controls that describe its required safekeeping. This information needs to be "consistent with the applicable law, regulations and government- wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act." Every agency is required to make CUI categories/ subcategories and explain why they are CUI that are available to the public.
Becoming NIST 800-171 Compliant
Vendors had to become NIST compliant by December 31, 2017. Any vendor who wishes to deal with Controlled Unclassified Information, i.e. stores, transmits, and/or processing of this information must become compliant. Not being compliant can result in loss of contracts or loss of reputation for your company. These controls that are set up in 800-171 are security controls that verify your company's reliability and safety. NIST 800-171 has 14 sections, which contain the 110 controls. These 14 sections are listed below:
1. Access Control – This would look into which employees are able to view key information
2. Awareness + Training – This verifies if the employees who do have access are trained to handle the information
3. Audit + Accountability – This verifies takes account for who does and does not have access and will be able to verify those who do not
4. Configuration Management – This shows how the safety procedures are built and implemented
5. Identification + Authentication – This will show CUI verification of employees
6. Incident Response – This will outline what to do in case of attack or breach
7. Maintenance – This shows when maintenance will be occurring.
8. Media Protection – This shows how electronics and media forms are stored safely and securely
9. Physical Protection – This lists who has is allowed to physical types of storage
10. Personnel Security – This will explain the prior procedures of processing who is allowed to view CUI
11. Risk Assessment – This will show the risks of the controls or the people viewing them
12. Security Assessment – This provides information on how the safety is and shows if more or less is needed
13. System + Communication Protection – This verifies that CUI is monitored with very close care at both internal and external areas
14. System + Information Integrity - This shows how fast any threats or attacks are detected and fixed.
Benefits of Being NIST 800-171 Compliant
There are several benefits of becoming NIST 800-171 compliant. First and foremost, this is required, therefore being compliant allows your company to continue to work with the DoD and other governmental agencies. This will also result in winning new Federal contracts as well. Having compliance means that your own company is secure, which means less risk of becoming breached. This is an overall win-win situation.