Since the end of 2017, all Department of Defense (DoD) contractors and subcontractors that store or process controlled unclassified information (CUI) are required to comply with the minimum security standards outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). Failure to adhere to DFARS requirements may result in the termination of existing DoD contracts.
DFARS is part of the NIST SP 800-171 standard for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” In total it has 110 unique security requirements split among 14 broader sections, or “families.”
Considering the volume and specificity of these requirements, any organization contracting or subcontracting with the Defense Department must make sure they have the requisite information security knowledge, expertise, and resources to comply with NIST SP 800-171. Non-compliance, after all, could spell the end of a contractor’s relationship with the DoD.
NIST 800-171 Background
Due to the lack of a consistent framework to handle certain types of information within the federal government, the Obama administration issued Executive Order 13556, which created the National Archives and Records Administration’s Information Security Oversight Office (ISOO). The ISOO was tasked with establishing a standardized set of guidelines for how government agencies handle CUI.
Furthermore, in response to a steady stream of breaches involving federal agencies, the federal government in 2014 amended the Federal Information Security Modernization Act (FISMA). NIST 800-171 is one of the standards designed to help organizations comply with FISMA.
Who Does NIST 800-171 Pertain To?
NIST 800-171 is relevant to most organizations, because CUI refers broadly to information that does not have a “classified” designation but is considered to be “sensitive” in nature. This may include health records and other types of personally identifiable information (PII), legal documents, trade information, employment papers, and other similar materials.
In this way, NIST 800-171 impacts wide swaths of organizations, including any business that handles Social Security numbers, tax IDs, or other forms of PII.
What Are the NIST 800-171 Categories?
NIST 800-171 includes 110 security controls split into 14 categories:
1. Access Control
Limit access to information to authorized users and/or devices. This includes controls such as CUI encryption, monitoring remote access sessions, terminating user sessions after a certain period of inactivity, limiting login attempts, and others.
2. Awareness and Training
Educate managers, admins, and users about information security risks, and explain policies and procedures in place to manage those risks.
3. Audit and Accountability
Keep secure information system audit records that document systems usage, and ensure that actions can be traced back to specific users to hold them accountable when necessary.
4. Configuration Management
Establish, maintain, and enforce configurations through any information system’s entire lifecycle.
5. Identification and Authentication
Be able to identify and verify the identities of users as a prerequisite to allowing access to organizational information systems.
6. Incident Response
Test incident response capabilities and implement adequate preparation, detection, analysis, containment, recovery, and user response activities.
Maintain information systems and implement requisite controls that verify and govern the behavior of personnel who perform this maintenance.
8. Media Protection
Securely store information system media containing paper and/or digital CUI, and use secure procedures to sanitize and dispose of CUI.
9. Personnel Security
Screen all personnel who will access information systems containing CUI, and revoke that access upon transfer or termination.
10. Physical Protection
Limit physical access to information systems, protect those systems with physical security controls and monitoring.
11. Risk Assessment
Perform ongoing risk and vulnerability assessments for information systems that use CUI.
12. Security Assessment
Periodically assess security controls to test their efficacy, replace deficient controls, and monitor continuously for effectiveness.
13. System and Communications Protection
Facilitate secure communication between information systems.
14. System and Information Integrity
Monitor information systems to protect against malicious code, report and correct flaws, and respond appropriately to security alerts.
NIST 800-171 Security Controls
DoD contractors must put in place all 110 security controls to comply with NIST 800-171. However, most of these are standard practices that organizations should already have implemented.
Nonetheless, there are specific clauses and requirements that DoD contractors will likely need the most help to manage, especially if you don’t have an internal security operations center (SOC).
A managed provider of security operations solutions can help comply with all of the requirements of NIST 800-171, and especially the following:
Access control (Section 3.1)
Compliance hinges on the ability to grant or deny permissions to access and/or use information. This includes limiting an authorized user to approved transactions and functions, controlling the flow of CUI according to approved authorizations, and separating duties to mitigate the risk of malicious activity.
Audit and accountability (Section 3.3)
Tracking, reviewing, and examining adherence to system requirements supports the audit of user activity and improves accountability. Organizations should create and retain system audit logs to facilitate the monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity.
Identification and authentication (Section 3.5)
Organizations must manage user identities and adequately authenticate those identities for use with information/processes. This is the prerequisite to granting access to systems.
Incident response (Section 3.6)
Establishing well-tested incident-handling processes (e.g., threat detection, analysis, response, recovery) for organization information systems is a requirement. This includes the mechanisms to track, document, and report internal and external incidents to officials and/or authorities.
Risk assessment (Section 3.11)
Periodically assessing risks to information systems and data to effectively track and manage organizational risk is required. This includes periodic scanning for vulnerabilities and remediating vulnerabilities according to their risk.
Security assessment (Section 3.12)
Organizations should periodically assess their security controls to determine their effectiveness. The findings should then steer a plan of action to address such deficiencies, with the goal of reducing or eliminating system vulnerabilities.
System and communication protection (Section 3.13)
Compliance requires the ability to monitor, control, and protect organizational communications. Furthermore, architectural designs, software development, and systems engineering should help promote effective information security.
System and information integrity (Section 3.14)
The standard requires organizations to monitor all information and communication systems for indicators of threatening traffic and/or activity. This includes the need to perform periodic scans of systems and real-time scans of files from external sources for malicious code.
How to Comply with NIST 800-171 Standards
All DoD contractors are expected to abide by the above requirements where applicable. That said, NIST 800-171 recognizes that smaller organizations will have varying operational circumstances and need to “apply the security requirements to meet their situation.”
The “NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” also acknowledges that not all organizations can adhere to all requirements without assistance: “Small manufacturers may not have the necessary organizational structure or resources to satisfy every security requirement. It is perfectly acceptable to implement alternative, but equally effective, security measures to satisfy a security requirement.”
What’s crucial, though, is that every DoD contractor or subcontractor understands its operational environment with enough depth to:
- Determine which requirements apply to their situation.
- Know which actions to take, solutions to deploy, and processes to implement in order to comply with those requirements.
This isn’t exactly easy, particularly for infosec-heavy requirements. Many organizations lack in-house cybersecurity expertise and are starved for the technical resources that enable functions such as continuous threat monitoring of IT and communication systems. This speaks to two larger truths about NIST SP 800-171:
- Organizations shouldn’t attempt to address their requirements without support from a suitably qualified partner—a single oversight could end their line of business with the DoD.
- Neither should organizations rely on ad-hoc implementation of point solutions, or the assistance of MSSPs that don’t fully understand their organization’s workflows. The former is entirely ineffective, and the latter is not equipped with the expertise or context needed to help contractors and sub-contractors cost-effectively cover all bases to comply with NIST 800-171.
The compliance environment continually evolves. To make sure you’re up to date on the latest developments, including DFARS, visit our compliance page for regulations across a variety of industries.