CMMC Certification


What is NIST SP 800-171?

The U.S. Government considers the protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of great importance to the federal agencies. Loss or breach of CUI can directly impact the ability of the agencies to perform its missions and operations.

NIST 800-171 refers to National Institute of Standards and Technology (NIST) Special Publication 800-171, which governs Controlled Unclassified Information (CUI) that is processed, stored, and transmitted in Non-Federal Information Systems and Organizations. It is a standard that defines the security requirements and methods of safeguarding and distributing the material deemed sensitive but not classified by the federal government agencies when:

CUI is resident in nonfederal systems and organizations

No specific safeguarding requirements exist for protecting the confidentiality of CUI by another law or regulation, and

The nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency

The security requirements identified in NIST 800-171 standard are intended for use by federal agencies in contracts and other agreements established between those agencies and nonfederal organizations, such as their subcontractors and partners.


Who is Required to Comply?

DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012 requires companies and organizations to comply with the NIST 800-171 cyber security standard when they process, store, or transmit CUI. This requirement typically would be found in the Department of Defense contracts. The organizations and companies that are not compliant with this standard would risk losing their DoD contracts.

Simply put, if your company/organization wants to work with the DoD you will have to be NIST 800-171 compliant in case you will find yourself in a situation of receiving or processing CUI.

DFARS also requires contractors and subcontractors to immediately report cyber breaches and incidents (in 72 hours of discovery) to DoD. In case your company is a lower-tier subcontractor your company would also be required to provide the incident report to the higher-tier subcontractor, until the prime contractor is reached.

In summary, every contracting organization must take immediate action to fulfill the requirements if they are not already compliant. The preparation process typically includes in-depth assessment of the current cyber-security posture of the organization and identify the requirements. Thereafter, organization should implement actions that include securing the system access, increasing employee awareness, properly configuring the system security settings, installing/deploying necessary risk analysis and monitoring software, etc.

Failure to comply can result in the termination of active contracts with DoD, fines or penalties resulting from the breach of contract, and rejection from the new contracts.









Download NIST SP 800-171 standard







Download Supplement to NIST SP 800-171 standard

(NIST SP 800-172)


 

What are the Components of NIST SP 800-171?

The standard has 14 key areas and requirement families. Companies must implement 110 requirements that are outlined in these areas:

  • Access Control (AC)
  • Awareness & Training (AT)
  • Audit & Accountability (AU)
  • Configuration Management (CM)
  • Identification & Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Don’t try to manage it all alone! Linqs  has extensive experience in compliance with the NIST SP 800-171 requirements.

We can assist you by training your employees and developing policy and procedures in addition to providing expert guidance on securing your systems for achieving compliance with NIST SP 800-171 as soon as possible.


Related Posts and News

In this CMMC level 1 certification article, we address two security domains that are applicable to CMMC Level 1 Certification (for v2.0), namely System and Communications Protection (SC), and System and Information Integrity (SI). Check out Cyber AB’s CMMC guidelines for further information hereCMMC Level 1 […]
In this CMMC Level 1 certification article, we address two security domains that are applicable to CMMC Level 1 Certification (for v2.0), namely Physical Security (PE), and Media Protection (IA). Check out Cyber AB’s CMMC guidelines for further information here.Have you read the CMMC Level 1 […]
CMMC level 1 certification focuses on the protection of Federal Contract Information (FCI) and is about “performing” the basic cybersecurity hygiene. Level 1 self-assessment methodology follows a data-centric security process and does not require development of a specific policy and procedure, unless a requirement calls for […]