Cybersecurity Standards & Protocols: NIST 800-171

The latest revision of the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 was fully implemented December 31, 2017. The publication includes standards and guidelines to protect controlled unclassified information (CUI) – potentially sensitive information not regulated by the federal government. Using NIST 800-171, each government agency must follow guidelines for handing CUI. Contractors that work with a federal agency and handle CUI must also comply with NIST 800-171, the only exception being companies that solely produce commercial-off-the-shelf (COTS) products.

NIST 800-171 Security Requirement Families

Security protocols to comply with NIST 800-171 are created by addressing 14 security requirement families:

1. Access Control – System access is limited to authorized users and transactions.
2. Awareness and Training – System users are trained on security risks and threat response.
3. Audit and Accountable – System records are maintained and used to facilitate the monitoring and analyzation of system threats.
4. Configuration Management – System inventories and baseline configurations are maintained throughout development.
5. Identification and Authentication – System users are granted access according to varying account privileges.
6. Incident Response – Processes are established for containing, reporting and recovering from attacks.
7. Maintenance – System maintenance is routinely performed by authorized personnel.
8. Media Protection – System media containing CUI is physically controlled and protected.
9. Physical Protection – Physical access to systems, equipment and operating environments are limited and monitored.
10. Personnel Security – Personnel are screened prior to gaining access to CUI.
11. Risk Assessment – Risks to operations, assets and individuals are routinely assessed.
12. Security Assessment – Security policies and procedures are routinely evaluated for effectiveness and revised.
13. System and Communications Protection – Communications are continuously monitored, controlled and protected.
14. System and Information Integrity – System flaws and vulnerabilities are routinely evaluated, reported and corrected.

NIST released a self-assessment handbook to aid contractors in complying with NIST 800-171.

Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification is a new CUI security standard expected to be fully implemented by 2026. Within its five certification levels, the CMMC builds on and includes all NIST 800-171 guidelines as well as other cybersecurity standards and guidelines recognized by the DoD.

Effective November 30, 2020, the Department of Defense published a cybersecurity interim rule requiring defense contractors to upload their NIST 800-171 self-assessments as verification of compliance. In addition, the DoD may conduct its own assessment of contractor systems and facilities if deemed necessary. This rule was implemented as a means of preparing contractors for CMMC requirements and the future of national cybersecurity standards.

Cybersecurity at Sealevel

As part of our industry-leading commitment to customers, Sealevel continually evaluates and revises security practices for our products – both hardware and software – to comply with evolving standards.