What is NIST 800-171?

 


Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171.

Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information.

National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data.

Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.

What is Controlled Unclassified Information (CUI)?

CUI is information created or owned by the government that is unclassified, but still very sensitive. As such, it is required that this information be safeguarded from unauthorized exposure. CUI may be in the form of electronic files, emails (or email attachments), blueprints, and more.

The CUI designation was established via an Executive Order in 2010, formalizing the way in which this information is managed and regulated. The National Archives and Records Administration (NARA) operates a CUI Registry with organizational index groupings and CUI categories, outlining all the different types of information that falls under the CUI designation.

What’s Included in NIST 800-171?

In total, NIST 800-171 lists more than 100 different security requirements within 14 control categories:


Access Control: Requirements related to who has access to business computers and networks, and what types of information different roles are able to access.

Awareness and Training: Relates to an organization’s ability to understand and identify security threats.

Audit and Accountability: Requires that an organization sets up user accounts and a structure to restrict access to auditing systems and functions to only administrators and IT personnel.

Configuration Management: Limits a user’s ability to update security settings or install unapproved software on computers which access an organization’s network.

Identification and Authentication: These controls regulate password requirements and multifactor authentication systems.

Incident Response: Requires an organization to design a set of procedures for handling systems issues, and train personnel to report security incidents to administrators and managers.

Maintenance: Requirements related to removing sensitive data from equipment that needs to be sent out for repair, and ensuring removable media is scanned for malicious software.

Media Protection: This set of controls regulates how an organization marks CUI, transfers CUI on/off removable media, and encrypts CUI on removable media.

Personnel Security: Controls regarding disabling and deleting user accounts after employees are terminated or transferred.

Physical Protection: Outlines the proper use of surveillance and security measures to monitor physical facilities.

Risk Assessment: Requires organizations to perform routine risk assessments and updates procedures accordingly.

Security Assessment: Requires organizations to perform routine reviews of security measures and create a plan to track vulnerabilities.

System and Communications Protection: Outlines the required use of encryption tools and requirements for segmenting system networks into separate portions.

System and Information Integrity: Controls related to an organization’s ability to monitor systems and identify threats.

Read complete article at - https://a-lign.com/what-is-nist-800-171/

Comments

Post a Comment

Popular posts from this blog

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2 or Readiness Assessment?

Image
  SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats. For organizations seeking a SOC 1 , SOC 2 , or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation. With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3. We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment. SOC 1 Report A SOC 1 report foll...
Read more

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond

Image
  With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! CMMC 2.0Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0 , three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allo...
Read more