The latest revision of the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 was fully implemented December 31, 2017. The publication includes standards and guidelines to protect controlled unclassified information (CUI) – potentially sensitive information not regulated by the federal government. Using NIST 800-171, each government agency must follow guidelines for handing CUI. Contractors that work with a federal agency and handle CUI must also comply with NIST 800-171, the only exception being companies that solely produce commercial-off-the-shelf (COTS) products.
NIST 800-171 Security Requirement Families
Security protocols to comply with NIST 800-171 are created by addressing 14 security requirement families:
- Access Control – System access is limited to authorized users and transactions.
- Awareness and Training – System users are trained on security risks and threat response.
- Audit and Accountable – System records are maintained and used to facilitate the monitoring and analyzation of system threats.
- Configuration Management – System inventories and baseline configurations are maintained throughout development.
- Identification and Authentication – System users are granted access according to varying account privileges.
- Incident Response – Processes are established for containing, reporting and recovering from attacks.
- Maintenance – System maintenance is routinely performed by authorized personnel.
- Media Protection – System media containing CUI is physically controlled and protected.
- Physical Protection – Physical access to systems, equipment and operating environments are limited and monitored.
- Personnel Security – Personnel are screened prior to gaining access to CUI.
- Risk Assessment – Risks to operations, assets and individuals are routinely assessed.
- Security Assessment – Security policies and procedures are routinely evaluated for effectiveness and revised.
- System and Communications Protection – Communications are continuously monitored, controlled and protected.
- System and Information Integrity – System flaws and vulnerabilities are routinely evaluated, reported and corrected.
NIST released a self-assessment handbook to aid contractors in complying with NIST 800-171.
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification is a new CUI security standard expected to be fully implemented by 2026. Within its five certification levels, the CMMC builds on and includes all NIST 800-171 guidelines as well as other cybersecurity standards and guidelines recognized by the DoD.
Effective November 30, 2020, the Department of Defense published a cybersecurity interim rule requiring defense contractors to upload their NIST 800-171 self-assessments as verification of compliance. In addition, the DoD may conduct its own assessment of contractor systems and facilities if deemed necessary. This rule was implemented as a means of preparing contractors for CMMC requirements and the future of national cybersecurity standards.
Cybersecurity at Sealevel
As part of our industry-leading commitment to customers, Sealevel continually evaluates and revises security practices for our products – both hardware and software – to comply with evolving standards.