shutterstock_184473665.jpg

Summit 7 Team Blogs

Part 2: A Detailed Review of NIST SP 800-171

Is the Department of Defense a customer of yours?  Do you know how NIST 800-171 will impact your business?  If your DoD contract requires DFARS 7012 and NIST 800-171 compliance, then this primer will help you identify the requirements needed for success.  This overview of NIST 800-171 is the second in our blog series addressing how DFARS impacts the bottom line for Defense Contractors.

This primer explains the requirements, by control families, to help businesses identify what is needed for handling Controlled Unclassified Information (CUI) content in your IT systems. 

What is NIST?

The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life.  Federal Information Security Modernization Act (FISMA) established NIST as the responsible agency for development of information security standards and guidelines for federal information systems.  NIST published Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” or NIST 800-171 for short.  At publication of this blog, DFARS 7012 is scheduled to require NIST 800-171 compliance by December 31, 2017.

NIST 800-171 is a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities.  NIST based 800-171 on 800-53, but removed controls, or parts of controls, that were uniquely federal not expected by nonfederal organizations.  However, don’t let this fool you into thinking that compliance is easy. 

Good News and Bad News

Since many federal contracts will soon require NIST 800-171 compliance successful preparation for a compliance is essential for businesses providing services to the DoD.  NIST 800-171 is a paradigm shift and federal contractors should conduct an assessment of how their organizational IT services satisfy the requirements.  Here is the bad news.  NIST 800-171 contains extensive controls and requirements which are challenging and expensive to implement. 

Don’t give up hope because there is good news.  It is possible to implement security solutions that satisfy NIST 800-171 by using Cloud Solution Providers (CSP) and managed services.  Improving security with a CSP like Microsoft and leveraging their Office 365 (O365) collaboration stack may affordably meet your organizational requirements.  Alternative, but equally effective, security measures may compensate for the inability to satisfy a particular requirement within NIST 800-171.  NIST 800-53 provides recognized alternative security standards as organizations plan for NIST 800-171 compliance. 

Preparing for NIST 800-171 Compliance Audits

DoD contractors know with certainty that DFARS  1) Compliance is mandatory and 2) Audits will follow.  Therefore, effective planning for audits is essential because a failure may result in costly contract terminations.

Audits of any kind have the potential for varying interpretations by different auditors.  Therefore, planning for an audit during implementation is critical.  The truth is that third party audits are easy if the implementation team knows the requirements and is properly prepared.  Beware, the use of alternate standards for NIST 800-171 compliance may reduce costs but it will increase the risk of auditor interpretation challenges.

Compliance with NIST 800-171 is particularly challenging for small businesses.  Therefore, I compiled this information as a primer to help businesses understand and plan for NIST 800-171 compliance requirements, assess costs, identify alternatives and prepare for audits. 

NIST 800-171 Requirements and Control Families

NIST 800-171 is a comprehensive set of requirements and there is a lot to know.  NIST 800-171 contains 28 basic security requirements and 81 derived security requirements.  That’s a total of 109 requirements across the entire scope of NIST SP 800-171!  

We can make this easier.  First we divide these 109 requirements into 14 control families to provide to create a controlled set.  Many of these controls, both technical and procedural, can be handled by your Cloud Service Provider if you are moving into a Cloud environment.  This primer will help organizations access the costly requirements and determine if a CSP is an effective alternative method for NIST 800-171 compliance. 

Control Family 1: Access Control

The Access Control family is one of the largest control families in NIST 800-171.  In general, this control family specifies controls around limiting system access to authorized users and making sure that those authorized users are only able to do specified actions based on the company policies.  All requirements in the NIST 800-171 Access Control family requirements are traced to NIST 800-53 and most controls require both a procedural and technical control to implement the procedure. 

Basic Requirements:              2

Derived Requirements:         20

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 2: Awareness and Training

Ensuring managers, administrators and end users receive the proper security and awareness training on both usage of the information system, as well as insider threats, is essential to satisfying NIST 800-171 Awareness and Training requirements.  All three of the requirements specifically map to the Awareness and Training (AT) family in NIST 800-53 and are handled with procedural controls.  They do not require a technical control; however, a control enhancement might be implementation of a learning management system to maintain electronic training records. 

Basic Requirements:               2

Derived Requirements:         1

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 3: Audit and Accountability

NIST 800-71 Audit and Accountability requirements focus specifically on ensuring that organizations audit generation and reporting capabilities sufficiently support proper security monitoring and management needed for a secure environment.  These requirements map directly to the NIST 800-53.  Most of these controls require both a procedural and technical implementation.   

Basic Requirements:              2

Derived Requirements:         7

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 4: Configuration Management

Configuration Management requirements for NIST 800-71 focus on ensuring organizations have a formalized change control and technical controls that ensure processes are appropriately followed across your entire IT enterprise.  Remember, the entire enterprise includes servers, services and client systems.  This extensive set of requirements may require creation of governance processes or significant modifications.  All requirements maps directly to the Configuration Management (CM) family in NIST 800-53 and include procedural and technical controls.

Basic Requirements:               2

Derived Requirements:         7

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 5: Identification and Authentication

Pay special attention to the Identification and authentication requirements which ensure that systems are properly identifying users and processes acting within an IT environment.  Multi-factor Authentication in NIST 800-71 is one of the primary requirements in this control family and it is a big deal!  These requirements map directly to the Identification and Authentication (IA) family in 800-53 and like some of the previous categories, this family requires both procedural and technical controls across almost all requirements.

Basic Requirements:               2

Derived Requirements:         9

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 6: Incident Response

Don’t be fooled.  The Incident Response family only has three requirements; however, implementation of these efforts is significant.  NIST 800-171 Incident Response (IR) requirements map to NIST 800-53 Incident Response (IR) requirements and ensures processes exist to respond to operational incidents and report to the government. Testing is the key to success for the third-party requirement once processes and controls are implementedI can’t stress this enough; test, test, test!

Basic Requirements:               2

Derived Requirements:         1

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 7: Maintenance

Implementations with Cloud Service Providers have fewer maintenance requirements for NIST 800-171 compliance.  Cloud Service Providers (CSP) provide the hardware maintenance and disposal.  However, there is a requirement that speaks directly to Multi-factor Authentication for remote maintenance sessions that can be tricky.  This family maps directly to the Maintenance (MA) Family in NIST 800-53.

Basic Requirements:               2

Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 8: Media Protection

Worried about moving to a CSP?  The NIST 800-171 Media Protection (MP) requirements may provide the cost justification needed to make the switch from on-premises to a CSP.  Media protection controls are derived from NIST 800-53 MP and Contingency Planning (CP) Family.  The requirements focus on the protection of CUI content in both paper and digital mediums.  Both policy and technical controls are required.  Organizations using a CSP may have many controls included as a component of standard datacenter services.

Basic Requirements:               3

Derived Requirements:         6

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 9: Personnel Security

NIST 800-171 Personnel Security (PS) requirements are primarily handled via procedural controls outside of the purview of an IT system.  However, there are components that require user access to be properly revoked upon termination or transfer.  This is the smallest family within NIST 800-171 and relates directly to the Personnel Security (PS) Family in NIST 800-53.

Basic Requirements:               2

Derived Requirements:         0

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 10: Physical Protection

This family of requirements include procedural controls outside of the IT system management.  Physical protection is a big deal for on-premises enterprises.  Physical Protection may be especially challenging and expensive for small businesses.  Alternatively, an approved CSP can provide a cloud environment that meets NIST 800-171 physical protection requirements.  These requirements map directly to the Physical Access Control (PE) family within NIST 800-53.

Basic Requirements:               2

Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 11: Risk Assessment

Risk Assessment (RA) requirements for NIST 800-171 are primarily a procedural and paper-based exercise.  The derived requirements are technical in nature directly aligned with the RA family in NIST 800-53.  There are three requirements which relate to identifying and remediating vulnerabilities in the information system.  Size and complexity of the information system will determine the size of this effort.  Beware, this could be a significant effort.  

Basic Requirements:               1

Derived Requirements:         2

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 12: Security Assessment

Hate audits?  Prepare early and often because NIST 800-171 Security Assessment requirements include periodic and continual assessments.  The purpose of these assessments is to identify and close any gaps that may present themselves during system operation.  There are only three requirements, but they work as a loop that ensures continual improvement and control.  This control family relates specifically to the Security Assessment and Authorization Management in NIST 800-53.

Basic Requirements:               3

Derived Requirements:         0

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 13: System and Communications Protection

Pay close attention to NIST 800-171 System and Communication Protection requirements because they are the largest and most complex tasks to implement.  This family of controls ensures that organizational information systems include sufficient monitoring, controlling and protection of all communications, internally and externally.  Implementation requires significant procedural and technical controls. Requirements map across multiple NIST 800-53 families, including portions of both System and Services Acquisition Management (SA) and Security Control (SC) Families.

Basic Requirements:               2

Derived Requirements:         14

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 14: System and Information Integrity

NIST 800-171 System and Information Integrity requirements is primarily focused on ensuring that malware and other malicious code do access information system.  Additionally, these requirements identify potential attacks and indicators of potential attacks.  Procedural controls for this family are straight forward for most organizations.  However, technical implementation of the controls for on-premises environments can be challenging given the speed and frequency with which attacks and their attackers change tactics.  This requirement set maps to the Systems and Communications Protection (SI) Family in NIST 800-53.

Basic Requirements:               3

Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  Yes

Small Business Success requires DFARS Compliance

Small and disadvantaged business success is an essential component of federal contracting requirements.  As a retired soldier, I know firsthand how important information security is to the safety of our nation.  As a small business owner, I know firsthand the challenges and expenses that NIST 800-171 compliance places on federal contractors.  My advice for small businesses is to “Prepare Early and Test Often”.  Finally, if DFARS compliance is an essential element of your business success than be sure to do it right the first time.  If you do it incorrectly, you will only end up doing the work a second or third time and small businesses can’t afford to pay for the same work three different times. 

Please feel free to reach out to me directly to ask any questions that are not addressed in this 800-171 primer.  You can also check out the DFARS Frequently Asked Questions blog series.  If your question is broadly applicable, I would be happy to add it to that list. 

Thanks for reading!

SHARE THIS STORY | |
About Scott Edwards

Scott Edwards is an accomplished computer engineer and organizational leader with experience in business, project management, systems engineering, training and security. Scott’s technical experience was honed at NASA as a Senior Computer Engineer and the Chief Engineer and Engineering Manager for the NASA Datacenter.

Scott received his Bachelor of Science from the United States Military Academy and his Master of Science in Computer Science with an emphasis in Information Assurance at James Madison University. Scott proudly served as an Officer in the US Army Signal Corps with both the 2-227th Aviation Battalion in Bosnia-Herzegovina and the 1-6 Air Defense Artillery Battalion in Fort Bliss, Texas.

Currently, Scott is the President and Managing Partner of Summit 7 Systems. Summit 7 Systems is Service Disabled Veteran Owned Small Business (SDVOSB) and a Microsoft Gold Cloud Productivity Partner that specializes in Office 365 security solutions.