The NIST 800-171 guidance is directed at contractors that have access to Controlled Unclassified Information (CUI). This may include manufacturers who have direct federal contracts or are subcontractors, as well as businesses who supply products and services to federal agencies.
Special Publication 800-171 sets forth fourteen specific security objectives. In brief, these recommendations are:
1. ACCESS CONTROL: Limit information system access to authorized users.
2. AWARENESS AND TRAINING: Ensure that managers and users of organizational information systems are made aware of the security risks and ensure that personnel are adequately trained.
3. AUDIT AND ACCOUNTABILITY: Create information system audit records to enable the reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual users can be traced to be held accountable for their actions.
4. CONFIGURATION MANAGEMENT: Establish baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation); and establish security configuration settings for technology products.
5. IDENTIFICATION AND AUTHENTICATION: Identify information system users and authenticate (or verify) the identities of those users as a prerequisite to allowing access.
6. INCIDENT RESPONSE: Establish an operational incident-handling capability for organizational information systems; and track, document, and report incidents to appropriate authorities.
7. MAINTENANCE: Perform periodic maintenance on organizational information systems; and provide effective controls on the tools and personnel used to conduct maintenance.
8. MEDIA PROTECTION: Protect information system media containing CUI, both paper and digital; and limit access to CUI on information system media to authorized users.
9. PHYSICAL PROTECTION: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
10. PERSONNEL SECURITY: Screen individuals prior to authorizing access to information systems containing CUI.
11. RISK ASSESSMENT: Periodically assess the risk to organizational operations, assets, and individuals.
12. SECURITY ASSESSMENT: Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; develop and implement plans of action designed to correct deficiencies.
13. SYSTEM AND COMMUNICATIONS PROTECTION: Monitor, control, and protect organizational communications (i.e., information transmitted or received by information systems).
14. SYSTEM AND INFORMATION INTEGRITY: Identify, report, and correct information and information system flaws in a timely manner; and provide protection from malicious code.
While these requirements are not mandatory until December 2017, many organizations that we are working with will need time to remediate to comply with the requirements. It is not unusual to expect 12-18 months of remediation, so it’s important to identify your gaps as quickly as possible to allow ample time to become compliant and not lose the revenue associated with these contracts. Our NIST auditors have the real-world experience to assist you with feasible solutions to address your risks.