Using the NIST Framework to Help Non-Federal Organizations Protect Controlled Unclassified Information (CUI)
NIST SP 800-171 is a set of standards established by the National Institute of Standards and Technology (NIST) that outlines practices non-federal organizations can use to protect controlled unclassified information (CUI). CUI is sensitive but unregulated information from the U.S. Federal government and applies to non-federal agencies working with agencies such as the United States Department of Defense, the General Services Administration (GSA), National Aeronautics and Space Administration (NASA), federal agency services providers, vendors and suppliers for federal agencies, and higher education institutions that get federal grants.
NIST 800-171 is required for all non-federal agencies that process, store, or transmit CUI. In this NIST 800-171 compliance resource center, we’ll look into the history of the framework, what it’s designed to do, and how you can crosswalk your other cybersecurity frameworks with these standards.
NIST 800-171 is a set of guidelines for non-federal organizations that work with federal agencies. It’s designed to help these organizations adopt controls to protect and secure sensitive unclassified controlled information (CUI). The National Institute of Standards and Technology (NIST) first published these standards in June 2015 in response to presidential Executive Order 13556: Controlled Unclassified Information, issued in 2010. The purpose of the executive order was to standardize how agencies handle and protect this sensitive federal information.
NIST 800-171 is a requirement for all non-federal organizations that process, store, or transmit CUI. Federal agencies use standards set by NIST 800-53 to protect and secure CUI. With NIST 800-171, compliance has always been required, but there have long been issues with the way organizations self-attest to compliance. These requirements and controls can be most easily understood by putting them into a few core buckets: controls and processes, monitoring and management, practices and procedures, and implementation. It looks like this:
1. Design controls and procedures to establish how you will manage and protect CUI
2. Continuously monitor and manage all of your IT systems to ensure compliance.
3. Ensure all users understand your security practices and procedures
4. Implement and maintain security practices both for your data, technology and physical locations
While some cybersecurity frameworks require a certification, NIST 800-171 does not. Instead, non-federal organizations that access CUI while working with federal agencies are expected to implement the framework and self-attest to meeting basic security standards to protect CUI.
There are 14 core families of controls in NIST 800-171 that range from access controls and awareness to system and information integrity. To demonstrate compliance, you should ensure you have proper documentation in place that indicates you meet control specifications, complete interviews with team members who are responsible for maintaining your core NIST 800-171 responsibilities, and complete specific tests that show your controls effectively do what they’re intended to do.
While self-attestation has generally been the compliance standard for contractors and subcontractors, an interim DFARS rule now drives a new DoD assessment methodology, including a new scoring component that reflects the level of implementation of the 110 controls outlined in the framework.
In early 2019, the DoD announced it intended to audit the DoD supply chain to ensure DFARs compliance. In the recent interim rule, as of Nov. 30, 2020, all contractors and subcontractors are expected to post a current NIST 800-SP Assessment to the DoD’s Supplier Performance Risk System (SPRS).
As a non-federal organization working with a federal agency, if you process, store, or transmit CUI, you are expected to comply with the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).
FAR and DFARS outline requirements for all U.S. government acquisition and contract processes. As a result, NIST SP 800-171 provides recommendations and controls your organization can adopt and implement to ensure that you successfully protect and secure all controlled unclassified information (CUI). The government mandates that all contractors and subcontractors implement NIST requirements to effectively demonstrate that they adhere to the controls required in DFARS 252.204-7012, which became effective in December 2017.
If your organization fails to demonstrate you meet the appropriate requirements, you may not be able to work with federal agencies, and compliance failure could result in the government ending existing contracts with you.
It’s also important to note that if you are a prime contractor who works with subcontractors to complete terms of your DoD or other federal relationships, you are expected to ensure that all of those subcontractors also meet NIST 800-171 compliance.
To evaluate if you are NIST 800-171 compliant, you can refer to “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements,” which is a step-by-step guide that can help assess how well your organization is doing in meeting framework requirements.
The NIST 800-171 framework within the Apptega cybersecurity and compliance platform supports all of the core 14 control areas and sub-controls needed to ensure NIST 800-171 compliance. You can use the Apptega solution to plan, implement and manage your NIST 800-171 controls and crosswalk other frameworks your organization uses (or plans to implement in the future) for complete, consolidated insight into your cybersecurity posture.
Here are some of the ways Apptega can help you with your NIST 800-171 compliance:
"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."
"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”
“With Apptega, we now have the visibility needed to know the true status of our program at any time.”
While there is no formal certification process for NIST 800-171, all non-federal organizations accessing CUI as part of their work with a federal agency must attest to NIST 800-171 compliance. As we mentioned earlier, there are 14 core requirement families. To show that you’re compliant with these standards, your organization should develop a System Security Plan (SSP) that outlines how you’re effectively meeting all of the controls.
Here’s a quick look at what that SSP might look like:
In addition to your SSP, you can also create a Plan of Action and Milestones (POA&M) that outlines how you intend to address security requirements you have not yet implemented. In your POA&M, don’t forget to also describe how you will mitigate risk in the interim until those action items are in place.
In modern cybersecurity practices, the lines that once existed between privacy and security are converging, which creates challenges for teams that need to work together to ensure you’re successfully meeting all your regulatory and compliance standards. Today, it’s no longer just about the privacy of the data you collect, store, and transmit, but also how you protect it. New regulations like state and federal mandates and GDPR are further driving this convergence. Check out this blog to explore how you can streamline cybersecurity framework management to successfully overcome this growing list of challenges.
Read More
Understanding what CUI is and why the government wants it protected is the first step of many when it comes to earning a CMMC certification. You also need to understand the five levels of CMMC certification and which one is the most applicable to your organization’s needs, as well as what you should do to prepare for a CMMC compliance audit and how you can mature your processes to scale your cybersecurity practice and earn higher certification levels over time. In this blog, you will learn more about selecting the right certification level, how to conduct a CMMC gap analysis, and how to prepare for a CMMC certification assessment.
Read More
There are a growing number of cybersecurity frameworks available for organizations today. While compliance and regulatory standards may drive which frameworks you have to adopt, you may realize other frameworks bring value to improving your security practices. But, with so many frameworks available, how do you know which one is right for you? SOC 2? CIS? ISO? This blog explores several common frameworks, outlining where they’re relevant and how they may help your organization. Read on to find out more about each one and how Apptega can help you adopt and implement the best framework to meet your specific needs.
Read More
Simply self-attesting to NIST 800-171 compliance is no longer all you need for a competitive advantage to win government contracts. With the addition of new assessment methodologies and the newly-released CMMC certification expectations, there’s a lot to digest.
Watch this on-demand webinar to learn more about:
• The relationship between NIST 800-171 and CMMC
• How to earn a CMMC certification
• Who conducts assessments for NIST 800-171 and what they look like
• Compliance challenges
Cybersecurity audits are often tedious and time-consuming, but they are critical parts of ensuring your organization is recognized for all your hard work to be compliant with a range of requirements. The good news is, preparing for an audit with the help of a solution like Apptega can reduce these complexities and get you well on your way to a successful review.
In this on-demand webinar, learn more about:
• Best practices to successful pass an audit
• Hear from some of the best-of-the-best as they share real-world audit experiences
• Explore audit pitfalls and learn how to overcome them
• Pick up time-saving tips to help you successful engage throughout the audit process
Simplify your NIST 800-171 compliance with multiple cybersecurity and privacy frameworks in the Apptega platform. In addition to easily crosswalking multiple frameworks within the Apptega Harmony intelligent mapping tool, you can also streamline tasks and manage roles and responsibilities within the platform.
With Apptega’s dashboard, you can access instant, easy-to-understand insight into the status of your NIST 800-171 compliance and helps you quickly identify areas of improvement. One-click reports include high-level summaries for your executives and board of directors, detailed status reports for customers and supply chain partners, and a POA&M and SSP for audits and certifications.
Searching for tools, guidance, and assistance with NIST 800-171 compliance?
The NIST 800-171 Marketplace in CyberXchange is mapped to all the controls defined in the framework. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.
Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.
