Using the NIST Framework to Help Non-Federal Organizations Protect Controlled Unclassified Information (CUI)
NIST SP 800-171 is a set of standards established by the National Institute of Standards and Technology (NIST) that outlines practices non-federal organizations can use to protect controlled unclassified information (CUI). CUI is sensitive but unregulated information from the U.S. Federal government and applies to non-federal agencies working with agencies such as the United States Department of Defense, the General Services Administration (GSA), National Aeronautics and Space Administration (NASA), federal agency services providers, vendors and suppliers for federal agencies, and higher education institutions that get federal grants.
NIST 800-171 is required for all non-federal agencies that process, store, or transmit CUI. In this NIST 800-171 compliance resource center, we’ll look into the history of the framework, what it’s designed to do, and how you can crosswalk your other cybersecurity frameworks with these standards.
NIST 800-171 is a set of standards to guide how non-federal agencies protect sensitive but unclassified federal information called CUI.
Learn MoreYou can use Apptega to build and manage your NIST 800-171 framework, simplifying your NIST 800-171 compliance journey.
Learn MoreIf you’re a non-federal organization serving as a contractor or subcontractor seeking to work with a variety of federal agencies, you should be NIST 800-171 compliant.
Learn MoreThe purpose of NIST 800-171 is to guide how non-federal agencies protect sensitive CUI they may interact with while doing business with government agencies.
Learn MoreNIST requirements are divided among 14 control families. Compliant organizations must prove they meet standards within several of these areas.
Learn MoreLike other cybersecurity frameworks, NIST 800-171 can serve as the basis of your cybersecurity program, helping mature your security posture over time.
Learn MoreDocumentation is key to demonstrating NIST 800-171 compliance. Check out this section to learn more about what you should consider.
Learn MoreConducting security assessments can be challenging, but it’s critical to demonstrate NIST 800-171 compliance.
Learn MoreBecause there have long been self-attestation issues with NIST 800-171 compliance, the government now requires new contracts to have a CMMC certification level.
Learn MoreSee how Cape Henry Associates is using Apptega to manage NIST 800-171 and CMMC compliance.
Learn MoreWant to know more about the connections between NIST 800-171 and CMMC? Check out this and other blogs to learn more.
Learn MoreJoin a webinar to explore how NIST 800-171 and CMMC work together to help you with your NIST 800-171 strategy.
Learn MoreApptega can help you implement and manage NIST 800-171 controls, and even simplifies crosswalking the framework with others.
Learn MoreSearching for tools, guidance, and assistance with NIST 800-171 compliance? Try the NIST 800-171 Marketplace.
Learn MoreHave questions about NIST 800-171 compliance? Check out this FAQ for answers.
Learn More
NIST 800-171 is a set of guidelines for non-federal organizations that work with federal agencies. It’s designed to help these organizations adopt controls to protect and secure sensitive unclassified controlled information (CUI). The National Institute of Standards and Technology (NIST) first published these standards in June 2015 in response to presidential Executive Order 13556: Controlled Unclassified Information, issued in 2010. The purpose of the executive order was to standardize how agencies handle and protect this sensitive federal information.
NIST 800-171 is a requirement for all non-federal organizations that process, store, or transmit CUI. Federal agencies use standards set by NIST 800-53 to protect and secure CUI. With NIST 800-171, compliance has always been required, but there have long been issues with the way organizations self-attest to compliance. These requirements and controls can be most easily understood by putting them into a few core buckets: controls and processes, monitoring and management, practices and procedures, and implementation. It looks like this:
1. Design controls and procedures to establish how you will manage and protect CUI
2. Continuously monitor and manage all of your IT systems to ensure compliance.
3. Ensure all users understand your security practices and procedures
4. Implement and maintain security practices both for your data, technology and physical locations
While some cybersecurity frameworks require a certification, NIST 800-171 does not. Instead, non-federal organizations that access CUI while working with federal agencies are expected to implement the framework and self-attest to meeting basic security standards to protect CUI.
There are 14 core families of controls in NIST 800-171 that range from access controls and awareness to system and information integrity. To demonstrate compliance, you should ensure you have proper documentation in place that indicates you meet control specifications, complete interviews with team members who are responsible for maintaining your core NIST 800-171 responsibilities, and complete specific tests that show your controls effectively do what they’re intended to do.
While self-attestation has generally been the compliance standard for contractors and subcontractors, an interim DFARS rule now drives a new DoD assessment methodology, including a new scoring component that reflects the level of implementation of the 110 controls outlined in the framework.
In early 2019, the DoD announced it intended to audit the DoD supply chain to ensure DFARs compliance. In the recent interim rule, as of Nov. 30, 2020, all contractors and subcontractors are expected to post a current NIST 800-SP Assessment to the DoD’s Supplier Performance Risk System (SPRS).
As a non-federal organization working with a federal agency, if you process, store, or transmit CUI, you are expected to comply with the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).
FAR and DFARS outline requirements for all U.S. government acquisition and contract processes. As a result, NIST SP 800-171 provides recommendations and controls your organization can adopt and implement to ensure that you successfully protect and secure all controlled unclassified information (CUI). The government mandates that all contractors and subcontractors implement NIST requirements to effectively demonstrate that they adhere to the controls required in DFARS 252.204-7012, which became effective in December 2017.
If your organization fails to demonstrate you meet the appropriate requirements, you may not be able to work with federal agencies, and compliance failure could result in the government ending existing contracts with you.
It’s also important to note that if you are a prime contractor who works with subcontractors to complete terms of your DoD or other federal relationships, you are expected to ensure that all of those subcontractors also meet NIST 800-171 compliance.
To evaluate if you are NIST 800-171 compliant, you can refer to “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements,” which is a step-by-step guide that can help assess how well your organization is doing in meeting framework requirements.
The NIST 800-171 framework within the Apptega cybersecurity and compliance platform supports all of the core 14 control areas and sub-controls needed to ensure NIST 800-171 compliance. You can use the Apptega solution to plan, implement and manage your NIST 800-171 controls and crosswalk other frameworks your organization uses (or plans to implement in the future) for complete, consolidated insight into your cybersecurity posture.
Here are some of the ways Apptega can help you with your NIST 800-171 compliance:
As a non-federal organization working with federal agencies, you should be able to demonstrate to the government you have effective cybersecurity controls in place to protect controlled unclassified information.
In this NIST 800-171 compliance guide, you will learn more about the framework, including its history, and will explore:
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
While NIST 800-171 compliance provides a great foundation for building a cybersecurity program for your organization, most modern organizations quickly understand that because of other compliance and regulatory standards, they can improve their security posture by implementing and managing more than one cybersecurity framework.
Unfortunately, many organizations struggle with this, as they find teams duplicating processes across multiple frameworks without clear insight into existing controls that work together.
Apptega’s intelligent framework mapping tool, Harmony, changes everything. With Harmony, you can map multiple security programs, for ISO 27001, PCI, HIPAA, GDPR and others, right in one solution with a convenient, easy-to-understand dashboard. The cost and effort required to manage multiple frameworks can be reduced by 50% or more. And when you need compliance evidence for only one framework during an audit or self-assessment, you can easily isolate that framework in the Apptega dashboard and reports.
NIST 800-171 covers five core cybersecurity functions: identify, protect, detect, respond, and recover. These five areas are the heart of this framework. They can help you design proactive safeguards to protect CUI and help your organization plan for how you will mitigate and respond to cyber risks related to CUI.
Let’s take a closer look at each area and their intended purpose:
This function relates to activities you should take once your team identifies a cybersecurity event and what you can do to contain it and limit impact.
This function ensures you have defined activities in place to restore services impacted by a cybersecurity incident including plans and procedures to quickly recover your operations to “normal.”
NIST SP 800-171 has 110 security controls that combine best practices from FIPS 200 and NIST SP 800-53. Each of these 110 controls correspond to one of 14 categories:
In addition to ensuring your ability to compete for federal contracts, there are a number of benefits of implementing NIST 800-171 controls, not just for CUI, but also for other important and sensitive data created, processed, transmitted, or stored by your organization.
Here are some key benefits of NIST 800-171 compliance:
While there is no formal certification process for NIST 800-171, all non-federal organizations accessing CUI as part of their work with a federal agency must attest to NIST 800-171 compliance. As we mentioned earlier, there are 14 core requirement families. To show that you’re compliant with these standards, your organization should develop a System Security Plan (SSP) that outlines how you’re effectively meeting all of the controls.
Here’s a quick look at what that SSP might look like:
In addition to your SSP, you can also create a Plan of Action and Milestones (POA&M) that outlines how you intend to address security requirements you have not yet implemented. In your POA&M, don’t forget to also describe how you will mitigate risk in the interim until those action items are in place.
Documentation is a critical component of attesting that you’re NIST 800-171 compliant. Here are three core areas you’ll need to address as part of your self-assessment:
In 2020, the Department of Defense issued an interim rule regarding how contractors handle cybersecurity requirements, including the adoption of a new DoD assessment methodology to ensure that all contracts meet the DFARS mandate and NIST 800-171 requirements. For contractors to compete for new contracts, win new contracts or renew existing contracts with the DoD after Nov. 30, 2020, they must first complete a self-assessment and upload the results of the assessment into the DoD’s Supplier Performance Risk System (SPRS).
While previously a self-assessment has been a pass or fail scenario based on the 110 security requirements outlined in NIST 800-171, the new assessment methodology now includes a scoring system based on those 110 controls. DoD intends to use this methodology to standardize assessments of NIST implementation.
In this assessment methodology, there are three assessment levels designed to determine the level of confidence discovered in assessment results:
If all security requirements are met, then the contractor can earn a score of 110, representing that all 100 security controls are met.
For every control not met, it’s subtracted from the 110 total. There are a number of factors that influence this scoring methodology. For a closer look, check out the NIST SP 800-171 DoD Assessment Methodology v 1.2.1.
Contractors should anticipate completing this type of assessment once every three years or whenever there are significant changes in security practices, risks, or security-related events. Prime contractors also retain responsibility for ensuring subcontractors also meet compliance requirements.
In addition to implementing the new DoD assessment methodology for NIST 800-171 compliance, the government is taking additional steps to ensure all non-federal agencies do their part to protect CUI and other sensitive data.
In January 2020, DoD released the first version of the Cybersecurity Maturity Model Certification (CMMC) program, which build off NIST 800-171. When fully operational, it will apply to all requests for information (RFI) and requests for proposals (RFPs). CMMC creates five levels of certification, all of which build off one another, to create scalable cybersecurity practices that protect controlled unclassified information.
By successfully completing a CMMC certification, contractors demonstrate they can effectively protect CUI. CMMC certifications can apply to an entire enterprise or particular segment, depending on contract requirements and where information is processes, stored, or transmitted.
Here are the five CMMC certification levels:
Practice: Basic Cyber Hygiene
Focus: Safeguard FCI
Number of Practices Introduced: 17
Practice: Proactive
Focus: Protect CUI and reduce risk of APTs
Number of Practices Introduced: 26
Practice: Intermediate Cyber Hygiene
Focus: Transition step in cybersecurity maturity progression for CUI protection
Number of Practices Introduced: 55
Practice: Advanced/Progressive
Focus: Protect CUI and reduce risk of APTs
Number of Practices Introduced: 15
Practice: Good Cyber Hygiene
Focus: Protect CUI
Number of Practices Introduced: 58
Each of the 17 domains of CMMC are broken down into 43 capabilities (practices). You can read more about those practices, including information about how to earn a CMMC certification, in our CMMC resource center.
For a high-level explanation of the key difference between NIST 800-171 and CMMC, watch this 2-minute video clip.
1. Access Control
2. Asset Management
3. Audit and Accountability
4. Awareness and Training
5. Configuration Management
6. Identification and Authentication
7. Incident Response
8. Maintenance
9. Media Protection
10. Personnel Security
11. Physical Protection
12. Recovery
13. Risk Management
14. Security Assessment
15. Situational Awareness
16. Systems and Communications Protection
17. System and Information Integrity
Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.
“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.” — Ed Myers, Cape Henry Compliance Director
In modern cybersecurity practices, the lines that once existed between privacy and security are converging, which creates challenges for teams that need to work together to ensure you’re successfully meeting all your regulatory and compliance standards. Today, it’s no longer just about the privacy of the data you collect, store, and transmit, but also how you protect it. New regulations like state and federal mandates and GDPR are further driving this convergence. Check out this blog to explore how you can streamline cybersecurity framework management to successfully overcome this growing list of challenges.
Read MoreUnderstanding what CUI is and why the government wants it protected is the first step of many when it comes to earning a CMMC certification. You also need to understand the five levels of CMMC certification and which one is the most applicable to your organization’s needs, as well as what you should do to prepare for a CMMC compliance audit and how you can mature your processes to scale your cybersecurity practice and earn higher certification levels over time. In this blog, you will learn more about selecting the right certification level, how to conduct a CMMC gap analysis, and how to prepare for a CMMC certification assessment.
Read MoreThere are a growing number of cybersecurity frameworks available for organizations today. While compliance and regulatory standards may drive which frameworks you have to adopt, you may realize other frameworks bring value to improving your security practices. But, with so many frameworks available, how do you know which one is right for you? SOC 2? CIS? ISO? This blog explores several common frameworks, outlining where they’re relevant and how they may help your organization. Read on to find out more about each one and how Apptega can help you adopt and implement the best framework to meet your specific needs.
Read MoreSimply self-attesting to NIST 800-171 compliance is no longer all you need for a competitive advantage to win government contracts. With the addition of new assessment methodologies and the newly-released CMMC certification expectations, there’s a lot to digest.
Watch this on-demand webinar to learn more about:
• The relationship between NIST 800-171 and CMMC
• How to earn a CMMC certification
• Who conducts assessments for NIST 800-171 and what they look like
• Compliance challenges
Cybersecurity audits are often tedious and time-consuming, but they are critical parts of ensuring your organization is recognized for all your hard work to be compliant with a range of requirements. The good news is, preparing for an audit with the help of a solution like Apptega can reduce these complexities and get you well on your way to a successful review.
In this on-demand webinar, learn more about:
• Best practices to successful pass an audit
• Hear from some of the best-of-the-best as they share real-world audit experiences
• Explore audit pitfalls and learn how to overcome them
• Pick up time-saving tips to help you successful engage throughout the audit process
Simplify your NIST 800-171 compliance with multiple cybersecurity and privacy frameworks in the Apptega platform. In addition to easily crosswalking multiple frameworks within the Apptega Harmony intelligent mapping tool, you can also streamline tasks and manage roles and responsibilities within the platform.
With Apptega’s dashboard, you can access instant, easy-to-understand insight into the status of your NIST 800-171 compliance and helps you quickly identify areas of improvement. One-click reports include high-level summaries for your executives and board of directors, detailed status reports for customers and supply chain partners, and a POA&M and SSP for audits and certifications.
Searching for tools, guidance, and assistance with NIST 800-171 compliance?
The NIST 800-171 Marketplace in CyberXchange is mapped to all the controls defined in the framework. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.
Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.
FISMA is short for the Federal Information Security Management Act. The government passed the act in 2003 as a way to improve cybersecurity practices for federal agencies. FISMA applies specifically to federal agencies but is a driver of the NIST 800-171 standards to protect CUI, which relates specifically to non-federal agencies.
NIST 800-171 compliance resources are in Apptega’s NIST 800-171 Marketplace. Within the marketplace, you can quickly access products and services to help you with NIST 800-171 compliance, including access to consultants that have proven expertise in your specific compliance areas.
©2023 All Rights Reserved. Apptega® is a registered trademark Apptega, Inc. | Privacy Policy