256.585.6868 | info@summit7systems.com

NIST 800-171 Compliance in Office 365

A CONSOLIDATED SOURCE FOR APPLICATION OF 800-171 TO THE O365 PLATFORM

 Is the Department of Defense a customer of yours?  Do you know how NIST 800-171 will impact your business?  If your DoD contract requires DFARS 7012 and (consequently) NIST 800-171 compliance, then this primer will help you identify the requirements needed for success. In addition, the following content will better prepare your company for the Cybersecurity Maturity Model Certification (CMMC) evaluation.

This primer explains the requirements, by control families, to help businesses identify what is needed for handling Controlled Unclassified Information (CUI) content in your IT systems. 

Topics Covered

What is NIST?

How Does NIST 800-171 Impact Contractors?

What is CUI?

What is an SSP and POA&M and Why is it Important?

Preparing for NIST 800-171 Audit

Overview of NIST 800-171 Control Families

How to Achieve NIST 800-171 Compliance?

 

 

What is NIST? NIST 800-171?

The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life.  Federal Information Security Modernization Act (FISMA) established NIST as the responsible agency for development of information security standards and guidelines for federal information systems.  NIST published Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” or NIST 800-171 for short.  For Government Contractors supporting the Department of Defense (DoD), DFARS 7012 required NIST 800-171 compliance by December 31, 2017.

NIST 800-171 is a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities.  NIST based 800-171 on 800-53, but removed controls, or parts of controls, that were uniquely federal not expected by nonfederal organizations.   

How Does NIST 800-171 Impact Contractors?

Since many federal contracts will soon require NIST 800-171 compliance in the new FAR cybersecurity requirements, successful preparation for compliance is essential for businesses providing services to the DoD and non-DoD agencies.  NIST 800-171 is a paradigm shift and federal contractors should conduct an assessment of how their organizational IT services satisfy the requirements. 

Here is the bad news.  NIST 800-171 contains extensive controls and requirements which are challenging and can be expensive to implement. All of this depends upon your IT estate, number of employees and locations, and varying data types your company processes or handles.

Don’t give up hope because there is good news.  It is possible to implement security solutions that satisfy NIST 800-171 by using Cloud Solution Providers (CSP) and managed services.  Improving security with a CSP like Microsoft and leveraging their Office 365 (O365) collaboration stack may more affordably meet your organizational requirements.  Alternative, but equally effective, security measures may compensate for the inability to satisfy a particular requirement within NIST 800-171.  NIST 800-53 provides recognized alternative security standards as organizations plan for NIST 800-171 compliance. 

What is CUI?

Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) are relatively new markings, but similar markings have a long history within the government.  CDI is an umbrella term that encompasses all CUI and Controlled Technical Information (CTI).  These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system.  In the past, the government used many different markings to identify this kind of information. You may have seen or used some of these in the past: Unclassified Controlled Technical Information (UCTI), Sensitive but Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc.  These are now all rolled up into the classification of CDI content.  Clear as mud…. Right?  No one said this was easy….

CDI as a category encompasses both CTI and CUI. CTI is defined as technical information with a military or space application that is marked with a distribution statement in accordance with DoDI 530.24 (Distribution Statements on Technical Documents).  In general, the controlling Department of Defense (DoD) office is responsible for determining if information is CTI and properly marking it prior to contractor access to the information.  However, if a contractor develops unclassified CTI in the performance of a contract, the contractor must work with the contracting officer to ensure that the appropriate forms are completed, statements of work are in place and distribution statements are assigned to each piece of content.  This content must be protected at the same level as other CDI and CUI content; it just has special marking and tracking requirements.

Click Here for a Full Overview of CUI, CDI, CTI, and More

What is an SSP and POA&M?

For starters, a System Security Plan (SSP) is an iterative document meant for updates as the company changes anything substantive about its security posture. Much like a well-kept Wikipedia page, every major update or remediation needs to be recorded and reviewed by other individuals. Information like network diagrams, administration roles, company policies, and security responsibilities by employee type are important for a complete SSP.

For the purposes of NIST 800-171 and CUI requirements, the SSP includes the necessary information about each system in your environment that processes, stores, and transmits CUI. This information includes security configurations or capabilities that are currently or intended to be implemented, and each capability is expressly tied to specific security requirements and controls. Furthermore, the SSP defines how each of these systems interact between one another (flow of information and shared authentication/authorization), as well as how they behave separately.

If the SSP is the collective details of a business' security posture and system(s) profile, the POA&M is the honey-do list. Each company's POA&M is likely different because it includes information about weaknesses and gaps according to NIST 800-171 standards, as well as the risk posture for each respective gap and any mitigating steps the company intends to make. We often suggest similar entries into each of our clients' POA&M's; however, not every company will decide to address every risk in the same way. After all, these are business decisions with operational and financial implications.

Bottom line: you have to possess a complete SSP and POA&M in order to conduct work for the Federal Government. A "complete" SSP is a working and living document nevertheless, and a "complete" POA&M really is an empty document once you configure Office 365 and your other systems properly.

Preparing for NIST 800-171 Compliance Audits

DoD contractors know with certainty that DFARS  1) Compliance is mandatory and 2) Audits will follow. Therefore, effective planning for audits is essential because a failure may result in costly contract terminations.

Audits of any kind have the potential for varying interpretations by different auditors.  Therefore, planning for an audit during implementation is critical.  The truth is that third party audits are easy if the implementation team knows the requirements and is properly prepared.  Beware, the use of alternate standards for NIST 800-171 compliance may reduce costs but it will increase the risk of auditor interpretation challenges.

A good place to start your understanding if you have an Office 365 tenant (Commercial or GCC – not available in GCC High currently) is the Compliance Manager. By default, the Compliance Manager is accessible to all users in the tenant unless you elect to close off access to this data (which may be advisable as to comply with Control Families 3.1 and 3.3 in accessing security-relevant and audit-related information). To access the Compliance Manager, use the following URL:

https://servicetrust.microsoft.com/ComplianceManager

Since announcing availability for commercial cloud in February 2018 and the introduction of additional regulations, including NIST 800-171, the Compliance Manager is now one of the easiest and sure ways to start your compliance journey. It’s also a resource baked into Office 365. From Microsoft’s latest Press Release - According to the report, Cost of Compliance 2017 from Thomson Reuters, 32 percent of companies spend more than 4 hours per week creating and amending audit reports. It’s very time-consuming to collect evidence and demonstrate effective control implementation for auditing activities.

Click Here for a Full Overview of the Office 365 Compliance Manager for NIST 800-171 

NIST 800-171 Requirements and Control Families

NIST 800-171 is a comprehensive set of requirements and there is a lot to understand.  NIST 800-171 contains 28 basic security requirements and 81 derived security requirements.  That’s a total of 110 requirements across the entire scope of NIST SP 800-171!  

We can make this easier.  First we divide these 109 requirements into 14 control families to create a controlled set.  Many of these controls, both technical and procedural, can be handled by your Cloud Service Provider if you are moving into a Cloud environment.  This primer will help organizations access the costly requirements and determine if a CSP is an effective alternative method for NIST 800-171 compliance. 

Control Family 3.1: Access Control

The Access Control family is one of the largest control families in NIST 800-171.  In general, this control family specifies controls around limiting system access to authorized users and making sure that those authorized users are only able to do specified actions based on the company policies.  All requirements in the NIST 800-171 Access Control family requirements are traced to NIST 800-53 and most controls require both a procedural and technical control to implement the procedure. 

Basic Requirements:              2

Derived Requirements:         20

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.2: Awareness and Training

Ensuring managers, administrators and end users receive the proper security and awareness training on both usage of the information system, as well as insider threats, is essential to satisfying NIST 800-171 Awareness and Training requirements.  All three of the requirements specifically map to the Awareness and Training (AT) family in NIST 800-53 and are handled with procedural controls.  They do not require a technical control; however, a control enhancement might be implementation of a learning management system to maintain electronic training records. 

Basic Requirements:               2

Derived Requirements:         1

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 3.3: Audit and Accountability

NIST 800-71 Audit and Accountability requirements focus specifically on ensuring that organizations audit generation and reporting capabilities sufficiently support proper security monitoring and management needed for a secure environment.  These requirements map directly to the NIST 800-53.  Most of these controls require both a procedural and technical implementation. You can read more about Control Family 3.3 here.

Basic Requirements:              2

Derived Requirements:         7

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 3.4: Configuration Management

Configuration Management requirements for NIST 800-71 focus on ensuring organizations have a formalized change control and technical controls that ensure processes are appropriately followed across your entire IT enterprise.  Remember, the entire enterprise includes servers, services and client systems.  This extensive set of requirements may require creation of governance processes or significant modifications.  All requirements maps directly to the Configuration Management (CM) family in NIST 800-53 and include procedural and technical controls.

Basic Requirements:               2

Derived Requirements:         7

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.5: Identification and Authentication

Pay special attention to the Identification and authentication requirements which ensure that systems are properly identifying users and processes acting within an IT environment.  Multi-factor Authentication in NIST 800-71 is one of the primary requirements in this control family and it is a big deal!  These requirements map directly to the Identification and Authentication (IA) family in 800-53 and like some of the previous categories, this family requires both procedural and technical controls across almost all requirements. You can read more about Control Family 3.5 here.

Basic Requirements:               2

Derived Requirements:         9

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.6: Incident Response

Don’t be fooled.  The Incident Response family only has three requirements; however, implementation of these efforts is significant.  NIST 800-171 Incident Response (IR) requirements map to NIST 800-53 Incident Response (IR) requirements and ensures processes exist to respond to operational incidents and report to the government. Testing is the key to success for the third-party requirement once processes and controls are implemented.  I can’t stress this enough; test, test, test!

Basic Requirements:               2

Derived Requirements:         1

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.7: Maintenance

Implementations with Cloud Service Providers have fewer maintenance requirements for NIST 800-171 compliance.  Cloud Service Providers (CSP) provide the hardware maintenance and disposal.  However, there is a requirement that speaks directly to Multi-factor Authentication for remote maintenance sessions that can be tricky.  This family maps directly to the Maintenance (MA) Family in NIST 800-53.

Basic Requirements:               2

Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.8: Media Protection

Worried about moving to a CSP?  The NIST 800-171 Media Protection (MP) requirements may provide the cost justification needed to make the switch from on-premises to a CSP.  Media protection controls are derived from NIST 800-53 MP and Contingency Planning (CP) Family.  The requirements focus on the protection of CUI content in both paper and digital mediums.  Both policy and technical controls are required.  Organizations using a CSP may have many controls included as a component of standard datacenter services.

Basic Requirements:               3

Derived Requirements:         6

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.9: Personnel Security

NIST 800-171 Personnel Security (PS) requirements are primarily handled via procedural controls outside of the purview of an IT system.  However, there are components that require user access to be properly revoked upon termination or transfer.  This is the smallest family within NIST 800-171 and relates directly to the Personnel Security (PS) Family in NIST 800-53.

Basic Requirements:               2

Derived Requirements:         0

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.10: Physical Protection

This family of requirements include procedural controls outside of the IT system management.  Physical protection is a big deal for on-premises enterprises.  Physical Protection may be especially challenging and expensive for small businesses.  Alternatively, an approved CSP can provide a cloud environment that meets NIST 800-171 physical protection requirements.  These requirements map directly to the Physical Access Control (PE) family within NIST 800-53. Read more about Control Family 3.10 and how elements of these requirements are met in Office 365 GCC High.

Basic Requirements:               2

Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 3.11: Risk Assessment

Risk Assessment (RA) requirements for NIST 800-171 are primarily a procedural and paper-based exercise.  The derived requirements are technical in nature directly aligned with the RA family in NIST 800-53.  There are three requirements which relate to identifying and remediating vulnerabilities in the information system.  Size and complexity of the information system will determine the size of this effort.  Beware, this could be a significant effort.  

Basic Requirements:               1

Derived Requirements:         2

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.12: Security Assessment

Hate audits?  Prepare early and often because NIST 800-171 Security Assessment requirements include periodic and continual assessments.  The purpose of these assessments is to identify and close any gaps that may present themselves during system operation.  There are only three requirements, but they work as a loop that ensures continual improvement and control.  This control family relates specifically to the Security Assessment and Authorization Management in NIST 800-53.

Basic Requirements:               3

Derived Requirements:         0

Procedural Controls:               Yes

Technical Controls:                  No

Control Family 3.13: System and Communications Protection

Pay close attention to NIST 800-171 System and Communication Protection requirements because they are the largest and most complex tasks to implement.  This family of controls ensures that organizational information systems include sufficient monitoring, controlling and protection of all communications, internally and externally.  Implementation requires significant procedural and technical controls. Requirements map across multiple NIST 800-53 families, including portions of both System and Services Acquisition Management (SA) and Security Control (SC) Families.

Basic Requirements:               2

Derived Requirements:         14

Procedural Controls:               Yes

Technical Controls:                  Yes

Control Family 3.14: System and Information Integrity

NIST 800-171 System and Information Integrity requirements is primarily focused on ensuring that malware and other malicious code do access information system.  Additionally, these requirements identify potential attacks and indicators of potential attacks.  Procedural controls for this family are straight forward for most organizations.  However, technical implementation of the controls for on-premises environments can be challenging given the speed and frequency with which attacks and their attackers change tactics.  This requirement set maps to the Systems and Communications Protection (SI) Family in NIST 800-53.

Basic Requirements:               3

Derived Requirements:         4

Procedural Controls:               Yes

Technical Controls:                  Yes

 

How to Achieve NIST 800-171 Compliance?

Small businesses should “Prepare Early and Test Often”.  If DFARS compliance is an essential element of your business success than be sure to do it right the first time.  If you do it incorrectly, you will only end up doing the work a second or third time and small businesses can’t afford to pay for the same work three different times. You will also need to start with a solid SSP and POA&M as discussed previously.

For most contractors that have some semblance of an SSP and POA&M, the business will likely need a gap analysis to identify what steps are needed to bring their existing O365 environment to a compliant state OR they will need to configure their new O365 environment to NIST 800-171 prior to migration.

Office 365 GCC High Licensing Guide

O365 GCC High can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant (or at least to the 65 or so technical controls that apply). Additionally, Microsoft agrees to support all requirements for DFARS as part of this environment. This environment was previously available only through an enterprise agreement, requiring 500 or more licenses. Through a new program, however, it is now available to all organizations with a requirement to manage CUI/ITAR data or have the DFARS 7012 clause in one of their contracts.

Submit Any Additional Questions Here

2019 Cloud Strategy for Compliance: DFARS, NIST and ITAR Considerations

Part 1 

  

 Part 2