The National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is a cybersecurity framework to help organizations that aren’t part of the U.S. federal government protect their sensitive information. It’s intended to help would-be defense contractors implement information security controls that meet the government’s expectations.
Originally, defense contractors and their subcontractors were supposed to rely on NIST 800-171 to comply with protecting “controlled, unclassified information” (CUI) such as personal data or intellectual property that might be circulated as part of a government contract.
In practice, however, only a few businesses could achieve compliance with NIST 800-171. Subcontractors in particular found the compliance process confusing since many of them were small or medium-sized businesses with limited technology and cybersecurity budgets.
To increase compliance and improve security in the Defense Department supply chain, the government developed the Cybersecurity Maturity Model Certification (CMMC) to govern and certify compliance. CMMC is largely based on NIST 800-171, but drafts also include inputs from NIST Special Publication 800-53, National Aerospace Standard 9933, and CERT Resilience Management Model (CERT-RMM) version 1.2.
As of 2021, no accredited third-party assessment organizations exist to certify compliance with CMMC, which would establish compliance with NIST 800-171. (CMMC certifications are expected to be available by 2025.) Instead, contractors and subcontractors self-certify their compliance.
Your NIST 800-71/CMMC Audit Preparation Checklist
To help you prepare for your NIST 800-171 audit—which will be a CMMC audit—we’ve created this checklist of steps to take.
- Identify and confirm your compliance scope. Make necessary changes to system boundaries to avoid having your entire organization in scope for compliance.
- Gather or create your supporting documentation, including:
- System and network architecture
- System boundaries
- Data flow
- People, processes, and procedures
- Anticipated changes
- Perform a gap analysis
- Review and document existing controls
- Document control design flaws and control gaps
- Document a system security plan
- Develop a Plan of Action & Milestones (POA&M) for tracking purposes
- Develop your remediation plan
- Monitor, maintain, test, and improve controls
- Identify audit requirements (using the 14 requirements listed below)
- Gather your audit-trail evidence
What Are the NIST 800-171 Requirements?
NIST 800-171 Rev. 2 contains 14 audit requirements that your checklist should cover.
- Access control. This requirement addresses access controls for your organization’s IT environment: routers, firewalls, computers, servers, and all devices on the network. It considers how these are configured, as well as the quality of your security policies, role-based access controls, mandatory access controls versus discretionary ones, and privileged access controls.
- Awareness and training. These controls examine your organization’s internal training for security and privacy awareness.
- Audit and accountability. For this control category, you will need to collect and review the details of your organization’s audits and audit processing records.
- Configuration management. This portion reviews how your corporate networks and cybersecurity protocols are configured and managed on an ongoing basis. This also includes the documentation showing how those elements are configured.
- Identification and authentication. Which users are approved to access CUI? How are their identities authenticated before they can get access? NIST 800-171 states that all users, processes, and devices should be identified and authenticated.
- Incident response. NIST 800-171 requires organizations to have a response plan for a breach or attack, and that you test that plan to assure that it works.
- Maintenance. Regular, timely maintenance of your systems where CUI resides is critical. How often do you perform diagnostics and repairs? Does systems maintenance occur in a controlled environment? Who does this, and how often? How do they gain access? Documenting your maintenance plans, procedures, and practices will help you comply with NIST 800-171.
- Media protection. IT media includes servers, databases, backup tapes, memory cards, rotating fixed disks, hard drives, and solid-state drives. This requirement addresses how you protect such media from unauthorized viewing or use, as well as the maintenance, decommissioning, and destruction of it.
- Personnel security. What are your policies and procedures for vetting, monitoring, and terminating personnel to safeguard your organization’s systems and CUI?
- Physical protection. This requirement is designed to ensure that your organization’s buildings, rooms, and environment are secure.
- Risk assessment. What are your risk assessment and risk management policies and procedures? Have you categorized or classified your information by security level? (NIST has established standards for categorizing information and systems according to their risk level.) To whom are risk assessment reports provided, and how often? Do you use vulnerability scans to identify risks to your applications, servers, and network? How do you deal with vulnerabilities?
- Security assessment. NIST 800-171 requires that you periodically assess your security controls, that you monitor them, and that you correct deficiencies.
- System and communications protection. You should have policies and procedures for monitoring, controlling, and protecting internal and external communications containing CUI.
- System and information integrity. This requirement covers basic cybersecurity practices for quick detection, identification, reporting, and mitigation of security risks and potential threats.
Why Comply With NIST 800-171 Requirements?
Compliance with this NIST standard is required for entities doing business with the U.S. Department of Defense (DoD). The framework itself lays out a compelling case for why:
“Many federal contractors process, store, and transmit sensitive federal information to support the delivery of essential products and services to federal agencies (e.g., providing financial services; providing web and electronic mail services; processing security clearances or healthcare data; providing cloud services; and developing communications, satellite, and weapons systems).
“Federal information is frequently provided to, or shared with, entities such as state and local governments, colleges and universities, and independent research organizations. The protection of sensitive federal information … is of paramount importance to federal agencies, and can directly impact the ability of the federal government to carry out its designated missions and business operations.”
Moreover, while NIST 800-171 was first created to provide cybersecurity assurance over defense contractors, NIST itself recommends that all U.S. government agencies require NIST 800-171 compliance in their contracts. So any organization bidding on any U.S. government contract would do well to strive for NIST 800-171 compliance.
NIST Special Publication 800-171’s recommended security controls should be implemented, the NIST website states, under these circumstances:
- When a nonfederal system or organization possesses controlled unclassified information (CUI);
- When the organization is not collecting or maintaining CUI or operating federal information systems on behalf of an agency; and
- When requirements don’t exist for protecting the CUI in the U.S. government’s CUI Registry.
In other words, NIST 800-171 compliance is a wise idea for just about every business that might intersect with the U.S. government.
The Easy Way to NIST Compliance
NIST 800-171 compliance isn’t simple. If your organization needs help, there’s a solution for that. ZenGRC’s automated tools check your controls, find gaps, and show on color-coded dashboards what you need to do to reach compliance.
Our software-as-a-service also integrates with more than a dozen popular business applications to make GRC easier and to document your audit trail, saving evidence in a “single source of truth” repository so it’s handy at audit time. And with your NIST 800-171 compliance assured, you can then turn your attention to other tasks—such as keeping your enterprise and data safe and secure.
Worry-free NIST 800-171 compliance is the Zen way. Contact us today to arrange your free consultation.