Cybersecurity Standards & Protocols: NIST 800-171

December 23, 2020

The latest revision of the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 was fully implemented December 31, 2017. The publication includes standards and guidelines to protect controlled unclassified information (CUI) – potentially sensitive information not regulated by the federal government. Using NIST 800-171, each government agency must follow guidelines for handing CUI. Contractors that work with a federal agency and handle CUI must also comply with NIST 800-171, the only exception being companies that solely produce commercial-off-the-shelf (COTS) products.

NIST 800-171 Security Requirement Families

Security protocols to comply with NIST 800-171 are created by addressing 14 security requirement families:

  1. Access Control – System access is limited to authorized users and transactions.
  2. Awareness and Training – System users are trained on security risks and threat response.
  3. Audit and Accountable – System records are maintained and used to facilitate the monitoring and analyzation of system threats.
  4. Configuration Management – System inventories and baseline configurations are maintained throughout development.
  5. Identification and Authentication – System users are granted access according to varying account privileges.
  6. Incident Response – Processes are established for containing, reporting and recovering from attacks.
  7. Maintenance – System maintenance is routinely performed by authorized personnel.
  8. Media Protection – System media containing CUI is physically controlled and protected.
  9. Physical Protection – Physical access to systems, equipment and operating environments are limited and monitored.
  10. Personnel Security – Personnel are screened prior to gaining access to CUI.
  11. Risk Assessment – Risks to operations, assets and individuals are routinely assessed.
  12. Security Assessment – Security policies and procedures are routinely evaluated for effectiveness and revised.
  13. System and Communications Protection – Communications are continuously monitored, controlled and protected.
  14. System and Information Integrity – System flaws and vulnerabilities are routinely evaluated, reported and corrected.

NIST released a self-assessment handbook to aid contractors in complying with NIST 800-171.

Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification is a new CUI security standard expected to be fully implemented by 2026. Within its five certification levels, the CMMC builds on and includes all NIST 800-171 guidelines as well as other cybersecurity standards and guidelines recognized by the DoD.

Effective November 30, 2020, the Department of Defense published a cybersecurity interim rule requiring defense contractors to upload their NIST 800-171 self-assessments as verification of compliance. In addition, the DoD may conduct its own assessment of contractor systems and facilities if deemed necessary. This rule was implemented as a means of preparing contractors for CMMC requirements and the future of national cybersecurity standards.

Cybersecurity at Sealevel

As part of our industry-leading commitment to customers, Sealevel continually evaluates and revises security practices for our products – both hardware and software – to comply with evolving standards.