NIST SP 800-171
What is NIST SP 800-171?
NIST
SP 800-171 refers to the National Institute of Standards and
Technology, and specifically the special publication 800-171. It's had
multiple revisions over the years, and came as a surprise to small and
mid size businesses everywhere. The goal of NIST SP 800-171 is the
protection of Controlled Unclassified Information (CUI), sensitive data
that isn't part of the federal information systems, but carries similar
requirements in the handling of it. As of December 31st 2017, any
entity doing business with the DOD, GSA, NASA, and more, must comply
with the standards set for by NIST SP 800-171.
As
of now, for many companies, NIST SP 800-171 is handled as a
self-assessment/self-attestation. However, when bidding on contracts
especially as a prime, your SSP and PoAM may be required. In other
circumstances, the DOD may conduct an on-site assessment of the
contractors internal information systems. Depending on the requirement
of the contract, you may be required to also identify your Tier 1
suppliers and their plans of handling CUI data. When submitting your
SSP and POAM, it then becomes part of your contractual obligation.
Failure to comply could result in a breach, and may risk the awarded
contract to be pulled.
The bulk of NIST SP
800-171 references NIST SP 800-53, which is a significantly larger
publication that was released on February 2005, and has grown to it's
incoming 5th revision.
NUDG and NIST 800-171
The requirements of NIST SP 800-171 are slightly different than CMMC.
NIST SP 800-171 requires the following to be compliant:
GAP Assessment (Initial status of your security posture)
PoAM (Plan of Action and Milestones)
SSP (System Security Plan)
Only NIST related identifiers will have GAP questions.
You
can tackle NIST any way you want in terms of order, however, we HIGHLY
recommend starting with your GAP Assessment. You can either do it
within each identifier it applies to, or using the full GAP Assessment
form (easiest). After completing a GAP assessment, it makes for a solid
reference of where you may want to begin creating weaknesses, and
subsequently, controls and procedures to remediate them.
The
major differences between NIST and CMMC is that NIST does not require
full implementation to be compliant as long as deviations/weaknesses are
documented. NIST also requires a subset of NFO's that are not as
widely circulated as of yet, but are specifically called for in NIST SP
800-171 Appendix E (referenced at the bottom of this article). CMMC
also does not require weaknesses (PoAM) or a GAP Assessment. NIST SP
800-171's reference material is light, so we took the time to add
reference material from NIST SP 800-53 and other official documentation
to the guidelines, to help clarify what the requirements are asking for.
In
the NIST CUI section, note the NIST mapping below is not in order in
regards to our identifiers. This is due to our system being built
around CMMC's order. By using the NIST specific section, rather than
the Family Policies section, you are better able to target NIST
exclusively.
Same
applies to the NFO Section. You'll see that CMMC does not have any
mapping to NFO's as they are not called for, so we labeled them by their
families for reference. NFO's are all mapped to Appendix E of the NIST
SP 800-171 (referenced at the end of this article).
NIST
NFO's (Non-Federal Organization controls) come directly from NIST SP
800-53, but are called for in the requirements of NIST SP 800-171. They
tend to be broad in nature as they often apply to the entire family.
We highly recommend you handle the NFO's last, as many of them will be
satisfied after completion of NIST CUI.
NIST SP 800-171 Appendix E:
It
is up to debate whether or not NFO's will be audited along with
everything else. However, since they are specifically called for in
NIST SP 800-171, we highly recommend implementing and including them in
your system security plan.
Furthermore,
you'll note we have input some Controls in the specific NFO's, as the
first standard is met by simply having NUDG. To complete these
identifiers, all that's left is creating a Control to set the
reoccurring event on when you will review the (for example) Access
Control Family:
Related Articles
Basic Troubleshooting & System Status
NUDG has just recently been completely redesigned in this release, and we have been working diligently to migrate legacy data over to the new system. Given that NUDG is also in active development, you may experience hiccups along the way. Please do ...CMMC (Cybersecurity Maturity Model Certification)
What is CMMC (Cybersecurity Maturity Model Certification)? CMMC is the US Department of Defense (DoD) response to increasing cybersecurity and compromises of sensitive data across the defense industrial base. The first revision of the CMMC was on ...Gap Assessment
The GAP Assessment is required by NIST only. It's a subset of questions to determine your overall security posture, and is a good starting port for any company doing a self assessment, or MSP that is trying to determine the current status of a client ...NUDG Introduction
Welcome to NUDG Systems. This guide is meant to give you a brief overview of how we recommend starting your journey on cyber security compliance. While there's no right order to manage things, setting up the foundation correctly at the beginning can ...Reporting Features
The entire NUDG system is made up of hundreds of reports, everything from the reference and mapping of the Identifier card itself, as well as the Quandrant. NUDG itself is the report, and ideally upon request, we can issue a "read only" account for ...