On Dec. 31, 2017, all nonfederal entities (government contractors, employers, universities, etc.) that store controlled unclassified information (CUI) had to start abiding by certain security requirements.
Background on NIST 800-171
On Nov. 4, 2010, the Obama administration issued Executive Order 13556, which created the National Archives and Records Administration’s Information Security Oversight Office (ISOO). The ISOO was tasked with establishing a standardized set of guidelines for how government agencies handle CUI.
“NIST 800-171 impacts most organizations.”
For context, CUI refers broadly to information that does not have a “classified” designation but is considered to be “sensitive” in nature. This may include health records and other types of personally identifiable information (PII), legal documents, trade information, employment papers and other similar materials.
In this way, NIST 800-171 impacts wide swaths of organizations, including any business that handles Social Security numbers, tax IDs or other forms of PII.
In total, NIST 800-171 identified 110 security controls that are split into 14 categories. These categories are briefly explained in the list below:
1. Access Control
Limit access to information to authorized users and/or devices. This includes controls such as CUI encryption, monitoring remote access sessions, terminating user sessions after a certain inactivity period, limiting login attempts and many others.
2. Awareness and Training
Educate managers, admins and users about information security risks, and explain policies and procedures in place to manage those risks.
3. Audit and Accountability
Keep secure information system audit records that document systems usage, and ensure that actions can be traced back to specific users to hold them accountable when necessary.
4. Configuration Management
Establish, maintain and enforce configurations through any information system’s entire lifecycle.
5. Identification and Authentication
Be able to identify and verify the identities of users, “as a prerequisite to allowing access to organizational information systems.”
6. Incident Response
Implement, “adequate preparation, detection, analysis, containment, recovery and user response activities”; test incident response capabilities.
Maintain information systems; Implement requisite controls that verify and govern the behavior of personnel who perform this maintenance.
8. Media Protection
Securely store information system media containing paper and/or digital CUI; use secure procedures to sanitize and dispose of CUI.
9. Personnel Security
Screen all personnel who will access information systems containing CUI; revoke that access upon transfer or termination.
10. Physical Protection
Limit physical access to information systems; protect those systems with physical security controls and monitoring.
11. Risk Assessment
Perform ongoing risk and vulnerability assessments for information systems that utilize CUI.
12. Security Assessment
Periodically assess security controls to test their efficacy; replace deficient controls; monitor continuously for effectiveness.
13. System and Communications Protection
Facilitate secure communication between information systems.
14. System and Information Integrity
Monitor information systems to protect against malicious code, report and correct flaws, and respond appropriately to security alerts.
The list above may seem overwhelming. However, most if not all of NIST 800-171’s basic security controls are mechanisms and practices that all organizations should already have in place through a dedicated security operations center (SOC).
Contrary to the presumption that SOCs are only for large enterprises, small and midsize enterprises have the option to use a SOC-as-a-Service provider. This service provides a fully functional SOC that is staffed with security experts who can ensure NIST 800-171 compliance.