From Compliance to Confidence – Trust NIST SP 800-171 Rev. 3.

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.pdf

NIST SP 800 171 outlines the minimum security requirements for Controlled Unclassified Information (CUI) that can be used by non-federal agencies on their networks. NIST is a US governmental body that has published several standards and documents to improve cybersecurity in the public and private sectors. NIST SP 800 171 was published first in June of 2015 and has been receiving updates since taking into consideration new technologies and advancing cyber threats. The most recent version was released in February of 2020.

What is NIST SP 800-171?

All organizations that deal with sensitive but unclassified information on behalf of the US federal government are expected to be compliant with the requirements set forth within the NIST SP 800-171. Such organizations include the Department of Defense contractors, and US based universities and research institutes that are on federally funded grants and any other organization providing services to the US government.

NIST SP 800-171 applies to the US federal contractors to implement procedures and controls on their IT devices which are connected to the federal contractors in order to minimize the risk of breaches. By cooperating for best practices security processes with governmental contractors, the integrity of the entire federal supply chain ecosystem is enhanced. NIST SP 800-171 has a specific and direct focus on Controlled Unclassified Information (CUI) and aims to ensure that sensitive government information stored on a contractor’s network is safely and thoroughly protected.

Organizations that are required to comply with NIST SP 800-171 are under contract for performing activities involving controlled unclassified information on their networks and are encouraged to perform regular internal audits. Therefore, understanding the requirements well enough to evaluate them is important. In this guide, we will define what NIST SP 800-171 is, what it contains and how an organization can be compliant with it.

NIST SP 800-171 Purpose..

Controlled Unclassified Information (CUI) is governed by the government, however it is sensitive information which is not classified, thus, it brings the government or even business organizations in consideration for varying sensitive data. Such Information can include patents, technical data or good and service information. These agencies further provide definitions accompanied by recommended categories of CUI.

Any breach of such sensitive non-classified data, can still result in negative repercussions for the economy and the country’s security organization, thus resulting in CUI that is above classified information. The failure to comply with stipulated requirements under NIST SP 800 – 171 can result to loss of contracts, lawsuits, and penalties.

The cybersecurity requirements specified in NIST SP 800-171 are designed to protect government contractors and subcontractors from controlled and unclassified information (CUI) within IT networks. This document describes the best practices and procedures that these contractors must follow when the network manages or stores CUI.

SP 800-171 consists of 110 requirement, focusing on IT technology, policy and practices. These requirement covers areas such as access control, system configuration, and authentication procedures as well incident response plans. Each requirement focus on mitigating cybersecurity vulnerabilities and adopting the security controls (adminstrative, physical and Technical) to address overall risk.