What is NIST SP 800-171?
The U.S. Government considers the protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of great importance to the federal agencies. Loss or breach of CUI can directly impact the ability of the agencies to perform its missions and operations.
NIST 800-171 refers to National Institute of Standards and Technology (NIST) Special Publication 800-171, which governs Controlled Unclassified Information (CUI) that is processed, stored, and transmitted in Non-Federal Information Systems and Organizations. It is a standard that defines the security requirements and methods of safeguarding and distributing the material deemed sensitive but not classified by the federal government agencies when:
CUI is resident in nonfederal systems and organizations
No specific safeguarding requirements exist for protecting the confidentiality of CUI by another law or regulation, and
The nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency
The security requirements identified in NIST 800-171 standard are intended for use by federal agencies in contracts and other agreements established between those agencies and nonfederal organizations, such as their subcontractors and partners.
Who is Required to Comply?
DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012 requires companies and organizations to comply with the NIST 800-171 cyber security standard when they process, store, or transmit CUI. This requirement typically would be found in the Department of Defense contracts. The organizations and companies that are not compliant with this standard would risk losing their DoD contracts.
Simply put, if your company/organization wants to work with the DoD you will have to be NIST 800-171 compliant in case you will find yourself in a situation of receiving or processing CUI.
DFARS also requires contractors and subcontractors to immediately report cyber breaches and incidents (in 72 hours of discovery) to DoD. In case your company is a lower-tier subcontractor your company would also be required to provide the incident report to the higher-tier subcontractor, until the prime contractor is reached.
In summary, every contracting organization must take immediate action to fulfill the requirements if they are not already compliant. The preparation process typically includes in-depth assessment of the current cyber-security posture of the organization and identify the requirements. Thereafter, organization should implement actions that include securing the system access, increasing employee awareness, properly configuring the system security settings, installing/deploying necessary risk analysis and monitoring software, etc.
Failure to comply can result in the termination of active contracts with DoD, fines or penalties resulting from the breach of contract, and rejection from the new contracts.
What are the Components of NIST SP 800-171?
The standard has 14 key areas and requirement families. Companies must implement 110 requirements that are outlined in these areas:
Don’t try to manage it all alone! Linqs has extensive experience in compliance with the NIST SP 800-171 requirements.
We can assist you by training your employees and developing policy and procedures in addition to providing expert guidance on securing your systems for achieving compliance with NIST SP 800-171 as soon as possible.