What Exactly Is NIST 800-171?

Does your organization deal with the federal government? If so, the National Institute of Standards and Technology has this important message for you.

What Exactly Is NIST 800-171?

Does your organization deal with the federal government? If so, the National Institute of Standards and Technology has this important message for you.

In today’s highly regulated business world, you’re probably already familiar with a couple of regulatory standards. And this is especially true if your organization is under contract with a Federal agency.

With years of experience in delivering reliable IT services, Outsource IT Solutions realizes the significance of your data record handling practices to maintaining the trust of vendors, partners, contractors, and clients.

NIST 800-171, also known as NIST SP 800-171, is a vital security standard even if your business isn’t a federal contractor or subcontractor. Interested in learning everything you need to know about this important standard? Let’s start with some key definitions.

Watch our short video presentation to get started:

What Is Controlled Unclassified Information (CUI)?

Before we start discussing NIST 800-171, we need first to define what Controlled Unclassified Information means. In a nutshell, CUI is data that isn’t classified under federal law but is still considered sensitive and of interest to the United States. This doesn’t include a list of special ops currently operating behind enemy lines. Instead, the information covered mostly includes data covered by SOX or HIPAA, for example.

Every agency is responsible for communicating to the National Archives and Records Administration (the executive agent in charge of developing and enforcing standards for unclassified data) exactly what information it considers CUI. Not only does each agency need to create a public registry of the data types that comprise CUI, but they also have to outline clear reasons.

The “financial” category, for instance, includes subcategories involving the roles of financial institutions and United States fiscal functions, such as:

  • Mergers.
  • Contractors.
  • Electronic fund transfers.

What Is NIST 800-171? In full, NIST 800-171 is the National Institute of Standards and Technology Special Publication 800-171 and governs CUI in non-federal information systems and organizations. NIST 800-171 is designed to safeguard and distribute data that is still considered sensitive despite not being classified.

Following several data breaches, the government passed FISMA to bolster cybersecurity regulations. Quickly afterward, NIST followed with NIST 800-53 and finally NIST 800-171.

Do You Need to Comply With NIST 800-171? In simple terms, if your business processes, transmits, or stores CUI for a state or federal agency, then you need to comply with the NIST 800-171 standards. However, achieving NIST 800-171 compliance could become a tedious, painstaking process and take roughly 6-8 months.

In case you aren’t absolutely sure if you need to worry about NIST 800-171 standards, here’s a list of organizations that need to achieve compliance:

  • Contractors for the Department of Defense (DoD).
  • Contractors for the National Aeronautics and Space Administration (NASA).
  • Contractors for General Services Administration (GSA).
  • Consulting companies with federal contracts.
  • Universities and research institutions supported by federal grants.
  • Manufacturers and service providers that supply goods and services to federal agencies.

What Are the NIST 800-171 Requirements?

  1. Access Control: Who’s authorized to view this data?
  2. Awareness and Training: Are your employees trained on how to handle CUI properly?
  3. Audit and Accountability: Do you record access to CUI?
  4. Configuration Management: Do you adhere to RMF guidelines to manage change and ensure secure configurations?
  5. Identification and Authentication: Do you audit and manage access to CUI?
  6. Incident Response: What are your processes in the event of a breach?
  7. Maintenance: Who is responsible for maintenance, and what are your standard timelines?
  8. Media Protection: How are digital and physical records stored?
  9. Physical Protection: Who can access your CUI’s physical location?
  10. Personnel Security: How do you screen staff before granting access?
  11. Risk Assessment: Have you performed a Risk Assessment?
  12. Security Assessment: Do you have to strengthen existing security procedures?
  13. Systems and Communications Protection: Are your communication channels secure?
  14. System and Information Integrity: How quickly do you identify and address new system vulnerabilities?

Looking For the Most Reliable NIST 800-171 Compliance Support in Chicago?

Our experienced IT professionals at Outsource IT Solutions are here to help you achieve NIST 800-171 compliance.

Contact us now to get started!