Introduction to NIST 800-171
The National Institute of Standards and Technology (NIST), a unit of the Commerce Department has come up with a set of documents to describe the United States federal government computer security policies and guidelines. This set of documents forms the NIST 800 series which is used as a guideline for enforcement of security measures and legal references involving security issues. Controlled Unclassified Information (CUI) is information that does not fall into the classified category but is still sensitive and important to be protected. The new NIST Compliance 800-171 guideline is directed towards the contractors who have access to such type of CUI. The NIST requires that all the people who have access to CUI meet the requirements of 800-171 and it will be made mandatory as of December 2017.
The NIST compliance 800-171 covers the Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), and the Covered Defense Information (CDI) categories.
Who Falls Under the Purview of NIST Compliance 800-171?
All the nonfederal organizations that store, process, or transmit the CUI, CTI, and the CDI like the contractors in the manufacturing industry who are entrusted with the handling of this information are covered in the NIST Compliance 800-171. This guidance will cover the manufacturers with direct federal contracts or those subcontractors and vendors who supply products and services to federal agencies.
The 14 Security Objectives Listed Under NIST Compliance 800-171
The NIST Compliance 800-171 outlines 14 families of security requirements with 109 individual controls.
- Access Control: Limitations to system access by users
- Awareness and Training: Employees made aware of the security risks involved
- Audit and accountability: Creation and review of system security
- Configuration Management: Creation of adoptable management resources
- Identification and authentication: Security measures were undertaken
- Incident Response: Detection and response to security breaches
- Maintenance: System maintenance for security purposes
- Media protection: Sanitization of media containing the information
- Personnel Security: Individual scanning before access
- Physical Protection: Limiting access to authorized individuals
- Risk Assessment: assessing the risk involved in data handling
- Security Assessment: Seeing that adequate security measures are in place
- System and Information Security: Checking for flaws and their correction in system and security
Measures to Be Taken by Organizations to be NIST 800-171 Compliant
The organizations need to fill in the gap between the security measures currently adopted and that which will be required to make the data information fit for the 14 NIST domains. So the entire frame needs to be realigned and necessary audits should be performed to validate the NIST compliance.
Impact If Organizations Are Not NIST Compliance 800-171 Compliant
The organization is at the risk of losing business with the government. Though this regulation will not be used as an evaluation factor in the selection process, it is up to the government to decide on specific solicitation.
Simply put, it would be in the best interests of the organization to comply with the NIST Compliance 800-171 regulations by implementing adequate security measures for DLP so that there is no place for complacency for information and data breaches.