This post has been updated to reflect the latest revision to the NIST 800-171 compliance requirements - October 2, 2017.
If your organization does business with the Department of Defense or other government institutions, in all likelihood NIST 800-171 will significantly affect how your organization handles sensitive data by December 31, 2017.
The National Institute of Standards and Technology (NIST) published NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in June of 2015. As a part of the NIST 800 Series, SP 800-171 is one of many government publications setting policies, procedures, and guidelines for computer security.
NIST 800-171 is specifically focused on the requirements for U.S. Government contractors working with Controlled Unclassified Information (CUI). With 14 families of security controls, the requirement sets a broad standard for securing the confidentiality of government information shared with contractors. Government contractors and subcontractors must implement the documented controls by December 31, 2017 in order to maintain their business with the U.S. Government. The confidentiality of sensitive information is a top risk for organizations across the government because of the rash of attacks again OPM and other government organizations that handle sensitive data. In order for businesses to continue receiving sensitive information from the government, they must provide assurance that they have acceptable security in place to protect the confidentiality of government information. The 800-171 requirements were initially published in 2015, and are especially relevant at a time when data breaches are more common than ever.
2017 has been another year of consistent data breaches or cybersecurity attacks making front page news. Several payment system breaches occurred at InterContinental Hotels Group, Arby’s, and Chipotle. Personal data was stolen from health care providers at Washington State University and Anthem. 14 million records of Verizon customers were stolen from an unsecured Amazon Simple Storage Solution server. And, in perhaps the most damaging breach to date, the personal information of 143 Americans was stolen from Equifax, including social security numbers. In a global risk environment where data breaches are likely to continue, strong security measures are necessary to secure the confidentiality of sensitive data. Sensitive data that the government handles is no exception, and 800-171 requirements address and theoretically close a gap in security for this broad category of government information.
Controlled Unclassified Information (CUI) is a broad classification of sensitive, but not necessarily classified, information, including health information, legal documents, financial data, law enforcement information, and proprietary business information. There are 22 approved CUI categories of information. A full list of categories and subcategories is published by the National Archives and Records Administration’s Information Security Oversight Office and contains around 100 categories and subcategories. The classification is the result of Executive Order 13556, which attempted to standardize the many different classifications that were in use across the government like ‘For Official Use Only’ or ‘Proprietary.’ NIST published 800-171 in 2015 as a directive for how to secure this new classification of government information.
By December 31, 2017, federal contractors will need to meet the 110 individual controls in NIST 800-171 in order to continue working with the Federal Government. The requirement is enforced by a rule in the Federal Acquisition Regulation, the rules that businesses must follow in order to sell goods or services to the Federal Government. The controls are designed to help companies to secure the CUI shared with them by the Federal Government. A majority of the requirements are basic information security best practices – like 3.1.8 “Limit unsuccessful logon attempts” or 3.10.3 “Escort visitors and monitor visitor activity.” Their level of detail is fairly broad, providing the activities that contractors must complete but not prescribing a specific methodology (for example, the number of logon attempts to allow, or whether to monitor visitors with video cameras or badges). The requirement does point to FIPS Publication 200 and NIST Special Publication 800-53 for readers seeking additional information related to security controls.
Many of the requirements in NIST 800-171 are activities and security controls that are fundamental to any security program.
One key throughout the process is to document evidence of compliance, including policies, standards, and procedures used to maintain compliance.
There is no formal audit or compliance check as part of the 800-171 implementation.
Organizations self-attest to compliance – self-certifying against the requirements. However, the punishment for non-compliance is steep. The U.S. Government will terminate contracts for businesses found to be non-compliant. Businesses who knowingly sign a contract stating they are compliant while not meeting 800-171 requirements may be found guilty of criminal fraud and exposed to breach of contract lawsuits. Penalties are previously established for not complying with acquisition clauses including action under the False Claims Act, negative past performance ratings, lower award fee scores, and termination for default.
NIST 800-171 defines a set of basic security requirements for U.S. Government contractors working with Controlled Unclassified Information. By including requirements into the contracting process, the government gains a level of assurance that sensitive data will be protected by contractors. While the control set is high-level and foundational, the controls are a critical requirement for businesses working with the government as the penalties for non-compliance can be severe.
In our 9 question survey you will receive a total percentage score as well as a score by question. The information can be leveraged by your security professionals to focus on the areas that you need to strengthen to meet the requirements of NIST 800-171. Alternatively, our experts here at are here to assist you as you work to meet your compliance goals either specifically for NIST 800-171 or simply to fortify your organization’s overall security posture.