NIST SP 800-171 Compliance
By Corey Clements
Protecting the Country’s Data
Ask what data can do for you but also ask what is required to protect your organization’s data. Data is only valuable when it provides insight for better actions. Stats and facts collecting database dust yields no benefits. But in order to analyze and share data, it must also be adequately protected to ensure security, compliance, and privacy.
And that is exactly the reasoning for Executive Order 13556, which established the Controlled Unclassified Information (CUI) Program. In November 2010, this EO standardized the way the executive branch handles unclassified information that requires protection, such as personally identifiable information.
What is Controlled Unclassified Information (CUI)?
Executive Order 13556 also required that the CUI Program emphasize openness, transparency, and uniformity of government wide practices. As stated in the EO, “This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing.”
As such, the order creates one consistent policy applied to a defined and organized body of information. There are 22 different categories of CUI, and 85 subcategories. Executive departments and agencies employ agency-specific procedures to safeguard CUI, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations.
NIST 800-171: Protecting CUI for Enterprises Serving the Government
The National Archives and Records Administration (NARA) worked with The National Institute of Standards and Technology (NIST), the government’s source for computer security standards and guidelines, to draft guidelines for protecting CUI on information systems outside the immediate control of the federal government. The new document, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication 800-171), is the final version of those guidelines.
Non-federal organizations that provide services to U.S. Government Agencies such as government contractors; manufacturers; state, local, and tribal governments; and colleges and universities must now provide documentation and evidence as to how they are protecting CUI. The requirements recommended for use are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication (SP) 800-53. NIST SP 800-171 is an SP 800-53 subset of tailored controls designed to protect CUI confidentiality, when the confidentiality impact value of the CUI is no lower than moderate.
Achieving NIST 800-171 Compliance
Security assessments are required to demonstrate compliance with NIST SP 800-171, prior to information system deployment. The government has specified the approach and framework, which non-federal entities must demonstrate compliance with. Appendix D of NIST 800-171 contains a direct mapping of the NIST 800-171 CUI security requirements to the security controls in NIST Special Publication 800-53 and ISO/IEC 27001. In some cases, contractors can achieve NIST 800-171 compliance by leveraging some of the security systems they already have in place.
Organizations are able to assess themselves, if desired. All assessments require comprehensive documentation to demonstrate that required controls are implemented correctly, operating as intended and producing the desired outcome.
Since 2001, SecureIT has helped dozens of firms achieve NIST-based compliance requirements in a practical, efficient manner. Our designation as a FedRAMP 3PAO stems from SecureIT’s proven expertise in NIST security, controls and assessment procedures. SecureIT can provide assessment and advisory services to help you comply with NIST SP 800-171. Contact us today to discuss your needs.