The latest revision of the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 was fully implemented December 31, 2017. The publication includes standards and guidelines to protect controlled unclassified information (CUI) – potentially sensitive information not regulated by the federal government. Using NIST 800-171, each government agency must follow guidelines for handing CUI. Contractors that work with a federal agency and handle CUI must also comply with NIST 800-171, the only exception being companies that solely produce commercial-off-the-shelf (COTS) products.
NIST 800-171 Security Requirement Families
Security protocols to comply with NIST 800-171 are created by addressing 14 security requirement families:
- Access Control – System access is limited to authorized users and transactions.
- Awareness and Training – System users are trained on security risks and threat response.
- Audit and Accountable – System records are maintained and used to facilitate the monitoring and analyzation of system threats.
- Configuration Management – System inventories and baseline configurations are maintained throughout development.
- Identification and Authentication – System users are granted access according to varying account privileges.
- Incident Response – Processes are established for containing, reporting and recovering from attacks.
- Maintenance – System maintenance is routinely performed by authorized personnel.
- Media Protection – System media containing CUI is physically controlled and protected.
- Physical Protection – Physical access to systems, equipment and operating environments are limited and monitored.
- Personnel Security – Personnel are screened prior to gaining access to CUI.
- Risk Assessment – Risks to operations, assets and individuals are routinely assessed.
- Security Assessment – Security policies and procedures are routinely evaluated for effectiveness and revised.
- System and Communications Protection – Communications are continuously monitored, controlled and protected.
- System and Information Integrity – System flaws and vulnerabilities are routinely evaluated, reported and corrected.
NIST released a self-assessment handbook to aid contractors in complying with NIST 800-171.
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification is a new CUI security standard expected to be fully implemented by 2026. Within its five certification levels, the CMMC builds on and includes all NIST 800-171 guidelines as well as other cybersecurity standards and guidelines recognized by the DoD.
Effective November 30, 2020, the Department of Defense published a cybersecurity interim rule requiring defense contractors to upload their NIST 800-171 self-assessments as verification of compliance. In addition, the DoD may conduct its own assessment of contractor systems and facilities if deemed necessary. This rule was implemented as a means of preparing contractors for CMMC requirements and the future of national cybersecurity standards.
Cybersecurity at Sealevel
Sealevel is in the process of evaluating cybersecurity practices and updating policies to comply with NIST 800-171.