NIST 800-171 Compliance
Recently there have been notable cyber-attacks on the Democratic National Committee, the U.S. Postal Service, the State Department, NOAA, and the White House. Strong security measures to protect sensitive government data from hackers have never been more critical. Entities with access to federal information, including state and local governments and government contractors, have a burden to secure it.
The Federal Government has, over many years, worked to standardize how different agencies handle sensitive information. It and has recently published regulations regarding Controlled Unclassified Information (CUI) to address the identification, marking, handling, storage and destruction of all non-classified information that has safeguarding or dissemination controls. As a component of this effort, the National Institute of Standards and Technology (NIST) within the Department of Commerce has released a draft version of NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Although not mandatory at this time, contracts, memoranda of understanding, and other agreements may require adhering to the new guidelines. The Government is expected to issue a Federal Acquisition Regulation (FAR) clause that will require people working under contract to abide by NIST SP 800-171.
NIST SP 800-171 sets forth fourteen specific security objectives. These are:
- ACCESS CONTROL: Limit information system access to authorized users.
- AWARENESS AND TRAINING: Ensure that managers and users of organizational information systems are made aware of the security risks and ensure that personnel are adequately trained.
- AUDIT AND ACCOUNTABILITY: Create information system audit records to enable the reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual users can be traced to be held accountable for their actions.
- CONFIGURATION MANAGEMENT: Establish baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation); and establish security configuration settings for technology products.
- IDENTIFICATION AND AUTHENTICATION: Identify information system users and authenticate (or verify) the identities of those users as a prerequisite to allowing access.
- INCIDENT RESPONSE: Establish an operational incident-handling capability for organizational information systems; and track, document, and report incidents to appropriate authorities.
- MAINTENANCE: Perform periodic maintenance on organizational information systems; and provide effective controls on the tools and personnel used to conduct maintenance.
- MEDIA PROTECTION: Protect information system media containing CUI, both paper and digital; and limit access to CUI on information system media to authorized users.
- PHYSICAL PROTECTION: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- PERSONNEL SECURITY: Screen individuals prior to authorizing access to information systems containing CUI.
- RISK ASSESSMENT: Periodically assess the risk to organizational operations, assets, and individuals.
- SECURITY ASSESSMENT: Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; develop and implement plans of action designed to correct deficiencies.
- SYSTEM AND COMMUNICATIONS PROTECTION: Monitor, control, and protect organizational communications (i.e., information transmitted or received by information systems).
- SYSTEM AND INFORMATION INTEGRITY: Identify, report, and correct information and information system flaws in a timely manner; and provide protection from malicious code.
PKH Enterprises can help your organization comply with NIST SP 800-171 through our compliance analysis and program support. PKH Enterprises has been involved in the definition and implementation of CUI protocols and the technical controls that they entail. We would be happy to work with your team to make sure you are ready for these new rules.
Send us an email with questions, or subscribe to our mailing list for occasional updates.