NIST SP 800-171
Who is NIST?
The US National Institute of Standards and Technology (NIST) is an organization with the goal of improving economic security and quality of life. They pursue this goal by promoting innovation and industrial competitiveness within the US through advancements in science and technology. Their programs include nanoscale science and technology, neutron research, physical measurement, engineering, and information technology. This organization is responsible for creating the NIST SP 800-171 codification.
What is NIST SP 800-171?
Published by NIST in June of 2015, NIST SP 800-171 is a collection of requirements that a non-federal computer system must be compliant with in order to properly store or process Controlled Unclassified Information (CUI). The rules followed an executive order passed by President Obama in 2010 that directed all federal agencies to safeguard their CUI and establish a unified policy to do so.
The requirements fall into four main categories:
- Implementation of technological and physical security measures
- Controls and processes for managing and protecting CUI
- Monitoring and management of IT systems
- Clear practices and procedures for end-users
NIST SP 800-171 (also commonly just called NIST 800-171) is a subset of NIST SP 800-53. RiskWatch offers both of these content libraries.
You can find the publication here.
Who Does NIST SP 800-171 Apply to?
The controls in NIST SP 800-171 apply to organizations who have a contract with a federal agency, such as contractors and subcontractors. Examples of organizations include manufacturing companies that provide goods to federal agencies, consulting companies that work with federal agencies, or service providers for federal agencies.
Even if you’re not required to comply with NIST SP 800-171, such as if you don’t work with the government in any way, it’s still valuable for your organization to adhere to the controls listed as they offer good data security guidelines. Following these controls, you’ll experience reduced risk of data breaches and insider threats, as well as creating improved data access policies.
Cybersecurity Requirements for DoD Contractors
The Department of Defense (DoD) is an executive branch of the US federal government that is tasked with overseeing agencies and functions that are related to national security. The DoD is in charge of the US Armed Forces, and remains the largest employer in the world.
The DoD requires any contracts that aren’t for commercially available off-the-shelf items to contain Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. This clause mandates that contractors must implement NIST’S 110 security controls laid out in their NIST SP 800-171 framework.
If a contractor has not fully implemented all 110 of the NIST SP 800-171 Security controls, they do receive some degree of leniency. Contractors are able to submit what is called a “system security plan” that describes both the system architecture and any progress made on implementing the controls. For any controls not completely executed, the contractor must submit a “Plan of Action and Milestones.” This document serves to identify anticipated actions and timeframe for completing all controls.
The DoD has raised concern that the current process does not sufficiently protect CUI. This is because contractors are currently able to self-attest to their compliance with NIST controls, and they are able to win contracts that involve CUI even before all controls are implemented. This concern sparked a new rule to go into effect.
New Cybersecurity Requirements for DoD Contractors
As of November 30, 2020, US Department of Defense contractors and subcontractors are required to complete a cyber security self-assessment before they are able to begin work on any contracts that exceed the micro-purchase threshold. This was formerly known as the federal small purchase threshold, and is currently set at $10,000.
The goal of the new requirements is to increase protection of CUI. This new DFARS clause will require contractors to have a NIST SP 800-171 Assessment on file that was performed within three years of the contract award. A point system allows more objective certification, and is based on the number of controls implemented. There are also added levels, which help distinguish the level of protection a contractor provides.
- At the basic level, self-assessments are allowed for the NIST SP 800-171 evaluation. This is performed completely without DoD involvement, and therefore carries low confidence.
- Medium level assessments involve participation by the DoD, but the assessment is still performed by the contractor. The DoD performs a thorough documentation review afterwards and communicates with the contractor to get any additional information required.
- The high level assessment is the most in-depth one and builds off of the previous level. For this level, the DoD personally verifies that all controls have been implemented as described.
Learn more about the rule here.
Starting Your NIST SP 800-171 Assessment.
The RiskWatch platform is fully capable of assessing all of the controls listed in the NIST SP 800-171 framework. Completing this assessment allows you to better achieve cybersecurity and for DoD contractors, this counts as your required self-assessment that you must submit to continue work. Take a free trial and select NIST SP 800-171 as your chosen content.