Like many industries, the federal government and the Department of Defense (DoD) are more digital, more dispersed, and work with more third parties than ever before. This shift means that information the departments deal with, referred to as controlled unclassified information, needs to be protected due to its high value.
Enter “Safeguarding covered defense information and cyber incident reporting,” which is part of the Defense Federal Acquisition Regulation Supplement (DFARS) requirements. These regulations outline how contractors and subcontractors must handle this information, as well as cyber incident reporting. The specific requirements are referred to as NIST 800-171.
While complicated, it’s critical that contractors follow these compliance regulations both for continued business with the DOD and for the safety of the information they work with.
What is NIST 800-171
A regulation that applies to any entity contracting or subcontracting with the DOD, NIST 800-171 is intended to protect CUI through minimum security standards.
It was published in 2015 by the National Institute of Standards and Technology (NIST). This US government agency has released multiple standards and publications intended to strengthen cybersecurity for both public and private entities.
The regulation states that all contractors and subcontractors must follow DFARS. Failure to adhere to DFARS requirements may result in the termination of existing DoD contracts. DFARS is part of the NIST SP 800-171 standard for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” In total it has 110 unique security requirements split among 14 broader sections, or “families.” Non-compliance could end the contractor’s relationship with the DoD.
Who Does NIST 800-171 Pertain To?
NIST 800-171 is relevant to most organizations, because CUI refers broadly to information that does not have a “classified” designation but is “sensitive” in nature. This may include health records and other types of personally identifiable information (PII), legal documents, trade information, employment papers, and other similar materials.
In this way, NIST 800-171 impacts wide swaths of organizations, including any business that handles Social Security numbers, tax IDs, or other forms of PII.
What Are the NIST 800-171 Categories?
NIST 800-171 includes 110 security controls split into 14 categories:
1. Access Control
Limit access to information to authorized users and/or devices. This includes controls such as CUI encryption, monitoring remote access sessions, terminating user sessions after a certain period of inactivity, limiting login attempts, and others.
2. Awareness and Training
Educate managers, admins, and users about information security risks, and explain policies and procedures in place to manage those risks.
3. Audit and Accountability
Keep secure information system audit records that document systems usage, and ensure that actions can be traced back to specific users to hold them accountable when necessary.
4. Configuration Management
Establish, maintain, and enforce configurations through any information system’s entire lifecycle.
5. Identification and Authentication
Be able to identify and verify the identities of users as a prerequisite to allowing access to organizational information systems.
6. Incident Response
Test incident response capabilities and implement adequate preparation, detection, analysis, containment, recovery, and user response activities.
Maintain information systems and implement requisite controls that verify and govern the behavior of personnel who perform this maintenance.
8. Media Protection
Securely store information system media containing paper and/or digital CUI, and use secure procedures to sanitize and dispose of CUI.
9. Personnel Security
Screen all personnel who will access information systems containing CUI, and revoke that access upon transfer or termination.
10. Physical Protection
Limit physical access to information systems, protect those systems with physical security controls and monitoring.
11. Risk Assessment
Perform ongoing risk and vulnerability assessments for information systems that use CUI.
12. Security Assessment
Periodically assess security controls to test their efficacy, replace deficient controls, and monitor continuously for effectiveness.
13. System and Communications Protection
Facilitate secure communication between information systems.
14. System and Information Integrity
Monitor information systems to protect against malicious code, report and correct flaws, and respond appropriately to security alerts.
NIST 800-171 Security Controls
DoD contractors must put in place all 110 security controls to comply with NIST 800-171. However, most of these are standard practices that organizations should already have implemented.
Nonetheless, there are specific clauses and requirements that DoD contractors will likely need the most help to manage, especially if you don’t have an internal security operations center (SOC).
A managed provider of security operations solutions can help comply with all of the requirements of NIST 800-171, and especially the following:
Access control (Section 3.1)
Compliance hinges on the ability to grant or deny permissions to access and/or use information. This includes limiting an authorized user to approved transactions and functions, controlling the flow of CUI according to approved authorizations, and separating duties to mitigate the risk of malicious activity.
Audit and accountability (Section 3.3)
Tracking, reviewing, and examining adherence to system requirements supports the audit of user activity and improves accountability. Organizations should create and retain system audit logs to facilitate the monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity.
Identification and authentication (Section 3.5)
Organizations must manage user identities and adequately authenticate those identities for use with information/processes. This is the prerequisite to granting access to systems.
Incident response (Section 3.6)
Establishing well-tested incident-handling processes (e.g., threat detection, analysis, response, recovery) for organization information systems is a requirement. This includes the mechanisms to track, document, and report internal and external incidents to officials and/or authorities.
Risk assessment (Section 3.11)
Periodically assessing risks to information systems and data to effectively track and manage organizational risk is required. This includes periodic scanning for vulnerabilities and remediating vulnerabilities according to their risk.
Security assessment (Section 3.12)
Organizations should periodically assess their security controls to determine their effectiveness. The findings should then steer a plan of action to address such deficiencies, with the goal of reducing or eliminating system vulnerabilities.
System and communication protection (Section 3.13)
Compliance requires the ability to monitor, control, and protect organizational communications. Furthermore, architectural designs, software development, and systems engineering should help promote effective information security.
System and information integrity (Section 3.14)
The standard requires organizations to monitor all information and communication systems for indicators of threatening traffic and/or activity. This includes the need to perform periodic scans of systems and real-time scans of files from external sources for malicious code.
How to Comply with NIST 800-171 Standards
All DoD contractors are expected to abide by the above requirements where applicable. That said, NIST 800-171 recognizes that smaller organizations will have varying operational circumstances and need to “apply the security requirements to meet their situation.”
The “NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” also acknowledges that not all organizations can adhere to all requirements without assistance: “Small manufacturers may not have the necessary organizational structure or resources to satisfy every security requirement. It is perfectly acceptable to implement alternative, but equally effective, security measures to satisfy a security requirement.”
What’s crucial, though, is that every DoD contractor or subcontractor understands its operational environment with enough depth to:
- Determine which requirements apply to their situation.
- Know which actions to take, solutions to deploy, and processes to implement in order to comply with those requirements.
This isn’t exactly easy, particularly for infosec-heavy requirements. Many organizations lack in-house cybersecurity expertise and are starved for the technical resources that enable functions such as continuous threat monitoring of IT and communication systems. This speaks to two larger truths about NIST SP 800-171:
- Organizations shouldn’t attempt to address their requirements without support from a suitably qualified partner—a single oversight could end their line of business with the DoD.
- Neither should organizations rely on ad-hoc implementation of point solutions, or the assistance of MSSPs that don’t fully understand their organization’s workflows. The former is entirely ineffective, and the latter is not equipped with the expertise or context needed to help contractors and sub-contractors cost-effectively cover all bases to comply with NIST 800-171.
The compliance environment continually evolves. To make sure you’re up to date on the latest developments, including DFARS, visit our compliance page for regulations across a variety of industries.