From Arctic Wolf: Service Assurance. Up to a million dollars in coverage across cyberattack categories for Arctic Wolf customers.  READ  
Skip to main content

How to Prepare for NIST 800-171

On Dec. 31, 2017, all nonfederal entities (government contractors, employers, universities, etc.) that store controlled unclassified information (CUI) had to start abiding by certain security requirements.

Background on NIST 800-171

On Nov. 4, 2010, the Obama administration issued Executive Order 13556, which created the National Archives and Records Administration’s Information Security Oversight Office (ISOO). The ISOO was tasked with establishing a standardized set of guidelines for how government agencies handle CUI.

“NIST 800-171 impacts most organizations.”

For context, CUI refers broadly to information that does not have a “classified” designation but is considered to be “sensitive” in nature. This may include health records and other types of personally identifiable information (PII), legal documents, trade information, employment papers and other similar materials.

In this way, NIST 800-171 impacts wide swaths of organizations, including any business that handles Social Security numbers, tax IDs or other forms of PII.

Security Controls

In total, NIST 800-171 identified 110 security controls that are split into 14 categories. These categories are briefly explained in the list below:

1. Access Control 

Limit access to information to authorized users and/or devices. This includes controls such as CUI encryption, monitoring remote access sessions, terminating user sessions after a certain inactivity period, limiting login attempts and many others.

2. Awareness and Training 

Educate managers, admins and users about information security risks, and explain policies and procedures in place to manage those risks.

3. Audit and Accountability 

Keep secure information system audit records that document systems usage, and ensure that actions can be traced back to specific users to hold them accountable when necessary.

4. Configuration Management

Establish, maintain and enforce configurations through any information system’s entire lifecycle.

5. Identification and Authentication

Be able to identify and verify the identities of users, “as a prerequisite to allowing access to organizational information systems.”

6. Incident Response

Implement, “adequate preparation, detection, analysis, containment, recovery and user response activities”; test incident response capabilities.

7. Maintenance

Maintain information systems; Implement requisite controls that verify and govern the behavior of personnel who perform this maintenance.

8. Media Protection

Securely store information system media containing paper and/or digital CUI; use secure procedures to sanitize and dispose of CUI.

9. Personnel Security

Screen all personnel who will access information systems containing CUI; revoke that access upon transfer or termination.

10. Physical Protection

Limit physical access to information systems; protect those systems with physical security controls and monitoring.

11. Risk Assessment

Perform ongoing risk and vulnerability assessments for information systems that utilize CUI.

12. Security Assessment

Periodically assess security controls to test their efficacy; replace deficient controls; monitor continuously for effectiveness.

13. System and Communications Protection

Facilitate secure communication between information systems.

14. System and Information Integrity

Monitor information systems to protect against malicious code, report and correct flaws, and respond appropriately to security alerts.

How to Prepare for NIST 800-171

The list above may seem overwhelming. However, most if not all of NIST 800-171’s basic security controls are mechanisms and practices that all organizations should already have in place through a dedicated security operations center (SOC).

Contrary to the presumption that SOCs are only for large enterprises, small and midsize enterprises have the option to use a SOC-as-a-Service provider. This service provides a fully functional SOC that is staffed with security experts who can ensure NIST 800-171 compliance.

Additional Resources