NIST SP 800-171 is a set of standards established by the National Institute of Standards and Technology (NIST) that outlines practices non-federal organizations can use to protect controlled unclassified information (CUI). CUI is sensitive but unregulated information from the U.S. Federal government and applies to non-federal agencies working with agencies such as the United States Department of Defense (DOD), the General Services Administration (GSA), National Aeronautics and Space Administration (NASA), federal agency services providers, vendors and suppliers for federal agencies, and higher education institutions that get federal grants.

NIST 800-171 is required for all non-federal agencies that process, store, or transmit CUI. In this NIST 800-171 compliance resource center, we’ll investigate the history of the framework, what it’s designed to do, and how you can integrate these standards into your cybersecurity plan.

5 Core Functions: Understanding NIST 800-171 Security

  1. IDENTIFY – Good security starts with identifying your vulnerabilities. This function outlines how your organization manages cyber risks related to people, assets, systems, data, and capabilities. By understanding your vulnerabilities, you can develop resources to protect critical functions and reduce the risk of a cyber event. Identifying all your assets and vulnerabilities is the first step in prioritizing and remediating risks.
  2. PROTECT – Once you’ve identified your vulnerabilities, you must enact a plan to protect them. This function helps you establish safeguards that will ensure you can deliver critical services and protect CUI. The goal is to limit the impact a cyber event could have on your organization and data.
  3. DETECT – Some cyber-attacks like ransomware can be obvious, but it can be difficult to notice other attacks like data theft or digital surveillance. This function helps define and implement the methods and practices that can help you identify when a cyber event happens so you can address a potential incident effectively with a timely response.
  4. RESPOND – This function relates to activities you should take once your team identifies a cybersecurity event and what you can do to contain it and limit its impact.
  5. RECOVER – Once the cybersecurity event is contained, this function ensures you have defined activities in place to restore the impacted services, including plans and procedures to quickly recover your operations to “normal.”

Benefits of NIST 800-171 Compliance

In addition to ensuring your ability to compete for federal contracts, there are several benefits of implementing NIST 800-171 controls, not just for CUI, but also for other important and sensitive data created, processed, transmitted, or stored by your organization.

Here are some key benefits of NIST 800-171 compliance:

  • Establish controls to protect and secure CUI and other important data
  • Identify gaps and weaknesses within your cybersecurity processes
  • Establish mature risk management practices
  • Monitor your alignment to NIST 800-171 compliance standards
  • Protect assets and data
  • Remediate weaknesses and other security issues
    Improve your existing security processes
  • Mature and scale your cybersecurity practices
  • Implement access control and management for sensitive data
  • Decrease cyber risks
    Decrease risk of data exfiltration
  • Implement industry-recognized security best practices
  • Decrease chance of reputational damage
  • Decrease chance of compliance or other regulatory fines and penalties
  • Gain a competitive edge for securing government contracts
  • Improve relationships/confidence with federal agencies
  • Demonstrate to your partners, clients, key stakeholders, and the public you’re committed to protecting sensitive data
  • Be prepared to effectively respond to cyber events

Steps to becoming NIST 800-171 Compliant

While there is no formal certification process for NIST 800-171, all non-federal organizations accessing CUI as part of their work with a federal agency must attest to NIST 800-171 compliance. As we mentioned earlier, there are 14 core requirement families. To show that you’re compliant with these standards, your organization should develop a System Security Plan (SSP) that outlines how you’re effectively meeting all the controls.

Here’s a quick look at what that SSP might look like:

  • Outline requirements and controls
  • Describe your operating environment related to each control
  • Demonstrate (with documentation) how you’ve successfully implemented those controls
  • Explain your testing procedures and results
  • Outline interconnectivity with other systems
  • In addition to your SSP, you can also create a Plan of Action and Milestones (POA&M) that outlines how you intend to address security requirements you have not yet implemented.

In your POA&M, don’t forget to also describe how you will mitigate risk in the interim until those action items are in place.

If you think NIST 800-171 might be right for your company, contact us at CBM for a consultation to see how we can help you implement a cybersecurity plan.