It seems like yesterday the National Institute of Standards and Technology (NIST) announced Special Publication 800-171. Yet here we are, with just weeks left to prepare. Starting Dec. 31, 2017, all nonfederal entities (government contractors, employers, universities, etc.) that store controlled unclassified information (CUI) must abide by certain security requirements.
Are you ready?
On Nov. 4, 2010, the Obama administration issued Executive Order 13556, which created the National Archives and Records Administration’s Information Security Oversight Office (ISOO). The ISOO was tasked with establishing a standardized set of guidelines for how government agencies handle CUI.
“NIST 800-171 impacts most organizations.”
For context, CUI refers broadly to information that does not have a “classified” designation but is considered to be “sensitive” in nature. This may include health records and other types of personally identifiable information (PII), legal documents, trade information, employment papers and other similar materials.
In this way, NIST 800-171 impacts wide swaths of organizations, including any business that handles Social Security numbers, tax IDs or other forms of PII.
In total, NIST 800-171 identified 110 security controls that are split into 14 categories. These categories are briefly explained in the list below:
- Access control: Limit access to information to authorized users and/or devices. This includes controls such as CUI encryption, monitoring remote access sessions, terminating user sessions after a certain inactivity period, limiting login attempts and many others.
- Awareness and training: Educate managers, admins and users about information security risks, and explain policies and procedures in place to manage those risks.
- Audit and accountability: Keep secure information system audit records that document systems usage, and ensure that actions can be traced back to specific users to hold them accountable when necessary.
- Configuration management: Establish, maintain and enforce configurations through any information system’s entire lifecycle.
- Identification and authentication: Be able to identify and verify the identities of users, “as a prerequisite to allowing access to organizational information systems.”
- Incident response: Implement, “adequate preparation, detection, analysis, containment, recovery and user response activities”; test incident response capabilities.
- Maintenance: Maintain information systems; Implement requisite controls that verify and govern the behavior of personnel who perform this maintenance.
- Media protection: Securely store information system media containing paper and/or digital CUI; use secure procedures to sanitize and dispose of CUI.
- Personnel security: Screen all personnel who will access information systems containing CUI; revoke that access upon transfer or termination.
- Physical protection: Limit physical access to information systems; protect those systems with physical security controls and monitoring.
- Risk assessment: Perform ongoing risk and vulnerability assessments for information systems that utilize CUI.
- Security assessment: Periodically assess security controls to test their efficacy; replace deficient controls; monitor continuously for effectiveness.
- System and communications protection: Facilitate secure communication between information systems.
- System and information integrity: Monitor information systems to protect against malicious code, report and correct flaws, and respond appropriately to security alerts.
How to Prepare
The list above may seem overwhelming. However, most if not all of NIST 800-171’s basic security controls are mechanisms and practices that all organizations should already have in place through a dedicated security operations center (SOC).
Contrary to the presumption that SOCs are only for large enterprises, small and midsize enterprises have the option to use a SOC-as-a-Service provider. This service provides a fully functional SOC that is staffed with security experts who can ensure NIST 800-171 compliance.
The clock is ticking. Now is the time to make sure you’re ready for NIST 800-171.