According to data from Lloyds Insurance Marketplace, cyber attacks cost businesses $400 billion every year, and other statistics regularly demonstrate that such attacks are increasing in frequency and sophistication(1).
To address these risks, an Executive Order was signed to hold agencies accountable for managing cybersecurity risks, which reinforced the Federal Information Security Modernization Act (FISMA) of 2014. The risks would be managed by implementing cybersecurity frameworks including the National Institute of Standards and Technology (NIST) SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and SP 800-53, Security and Privacy Controls for Information Systems and Organizations.
These Special Publications contain guidelines and standards that relate to the securing of CUI, or Controlled Unclassified Information. This is information that is unclassified but is not considered suitable for public viewing. It may contain personal information and other sensitive data.
The main difference between the two is that NIST 800-171 relates to non-federal systems and organizations, while NIST 800-53 is for federal organizations.
NIST 800-171 is a special publication outlining the specific requirements all non-federal computer systems must adhere to in order to safeguard CUI that is processed, transmitted or stored through their system.
NIST 800-171 Compliance Requirements
Companies carrying out contract work for the federal government must meet the requirements set out in NIST SP 800-171 in order to demonstrate their ability to protect the circulation of CUI. It is based on the Federal Information Security Management Act and has been in effect since the end of 2017.
Complying with NIST 800-171 requirements requires following administrative regulations describing the steps that must be followed to avoid incidents, such as proactively reporting vulnerabilities, regularly reviewing workflow procedures, and maintaining hardware.
Another aspect of complying with NIST 800-171 is following technical steps for protecting the digital data that a company is storing or transferring across the Internet, including cybersecurity measures and limiting access.
NIST 800-171 Control Families
The security controls for NIST SP 800-171 are organized into 14 families for ease of use. Each family contains requirements pertaining to its general security topic. A brief overview of these families is outlined below.
This limits system access to only authorized users and the processes and devices acting on their behalf. Therefore, organizations must ensure that only the personnel, system processes and accounts that genuinely need access to sensitive information within a system or network are granted access to it.
Awareness and Training
The Awareness and Training control family provides guidance on appropriate security training for the users, managers, and system administrators of an organization. This includes regular cyber security awareness training as well as proper administrative skills.
Audit and Accountability
This category focuses on ensuring that the contractor is fully aware of what CUI is being maintained, where it is being stored, and where and by whom it is handled. It requires contractors to create and retain records and audit logs to facilitate the monitoring and investigation of unauthorized system activity.
This family of controls requires every component of an IT system to have a configuration dictating the way in which it operates. These configurations should be standardized so that systems and software perform in measurable ways. Hardware, firmware, software and documentation all fall under its purview.
Identification and Authentication
This section outlines the identification and authentication measures that must be used to ensure that only confirmed and approved users are able to access CUI. The controls must be strong enough to resist spoofing and other forms of unauthorized remote access.
Even the most robust security measures cannot prevent every compromise and breach, so this family requires organizations to establish and practice an incident response plan that will allow them to detect, analyze, contain, recover and resume operations should an incident occur.
This category stipulates that the software, hardware and firmware components of IT systems must be kept up-to-date to address vulnerabilities, ensure smooth operations, and patch any holes that are found. It is crucial for companies to have a detailed plan that outlines the maintenance procedures and personnel responsible.
The Media Protection family contains policies dictating the ways in which physical media is handled, transported and stored, in addition, how it is labeled and protected from unauthorized access. It applies to digital and non-digital media, including flash drives, external hard drives, paper and microfilm.
This entails ensuring that contractors, vendors and employees are properly vetted, approved and authorized before they are granted access to systems and data.
The Physical Protection family limits physical access to organizational systems and equipment, along with their operating environments, to authorized parties to protect them from theft or damage. This applies to laptops, printers, mobile devices, portable workstations and other physical equipment.
This section describes the requirements for evaluating risks to information, systems and personnel on a periodic basis and reviewing control measures to ensure they remain adequate.
According to this section, the security control measures in organizational systems must be monitored and periodically assessed to verify that they continue to meet the objectives and are refined as needed.
System and Communications Protection
This family contains further measures aimed at monitoring, controlling, and protecting communications from unauthorized exposure at the key internal and external boundaries of organizational systems.
System And Information Integrity
The System and Information Integrity family outlines the requirements for ensuring that systems and their information and data are trustworthy and have not been altered accidentally or maliciously.
As these families illustrate, achieving and maintaining compliance extends beyond IT and involves careful consideration and control of the entire organization.
Implementing NIST SP 801-171 Security Requirements
The NIST recommends the following approach to implement these requirements.
- Examine all of the policy and process requirements to determine how IT needs to be configured in order to meet them. This includes assessing whether any hardware or software needs to be acquired in order to be compliant.
- Determine which of the requirements you can accomplish easily with your in-house IT team and which ones will require outside assistance or further research.
- Develop an action plan, breaking down the steps into milestones to measure achievements and begin implementing the requirements.
Federal institutions and their information systems must adhere to the guidelines outlined in the NIST 800-53 publication. This resource is also used for developing and implementing information technology security protocols in government organizations.
Strict compliance is essential as private corporations working with the government are often directly connected to federal networks, servers and IT systems.
NIST 800-53 Compliance Requirements
NIST 800-53 divides security systems into three main control baseline levels: low, moderate and high. It also outlines 18 control families that help federal agencies to determine the organizational impact and potential risks posed to their systems. It lists security and privacy controls that are aimed at protecting the confidentiality, availability and integrity of a system and its information and managing information security risks.
NIST 800-53 Control Families
Outlined below is a brief look at each of the control families that must be addressed to achieve compliance with NIST 800-53.
Access Control (AC)
The AC control family contains security requirements for system logging, including which users are granted access to which assets. It also addresses the use of system privileges, account management and remote access logging to determine when specific users can access the system as well as their level of access.
Audit and Accountability (AU)
The AU control family focuses on event logging and auditing. This includes the process for monitoring and reviewing the logs, analyzing and reporting, as well as audit retention. Strong practices in this area help companies to monitor for and track potential security breaches.
Awareness and Training (AT)
The control sets found under the AT control family relate to security training and role-based training, along with documentation of training reactivities.
Configuration Management (CM)
These controls will be specific to the organization’s policies regarding configuration management. They include a baseline configuration to serve as the foundation for future builds as well as information system components, inventories and security impact analysis controls.
Contingency Planning (CP)
Controls that are specific to an organization’s contingency plan for system failures or breaches are found in the CP control family. This includes updating, backups, system reconstitution, training and contingency plan testing.
Identification and Authentication (IA)
The IA controls relate to the policies regarding identifying and authenticating organizational and non-organizational users as well as system management.
Incident Response (IR)
These controls pertain to the organization’s policies and procedures for responding to incidents, along with related reporting, monitoring, testing, response plans and training.
The MA controls focus on maintaining the organization’s systems and tools. It also outlines controls for maintenance personnel authorization.
Media Protection (MP)
Controls that are specific to the storage, transport, marking, safe destruction, and access of media fall under the Media Protection control family.
Personnel Security (PS)
Personnel security controls pertain to the way in which an organization protects personnel via screening, termination, sanctions, access agreements, transfers and position risk.
Physical and Environmental Protection (PE)
This control family aims to protect buildings, systems and other supporting infrastructure against physical threats. The controls apply to visitor records, emergency shutoff, physical access authorizations, monitoring, lighting, and protection from fire and water damage.
The PL controls are specific to the organization’s privacy and system security plans (SSPs). They address factors such as roles and responsibilities, scope, purpose, coordination among entities, management commitment and overall organizational compliance.
Program Management (PM)
The PM control family relates to the management of the organization’s cybersecurity program as well as the way in which it operates. This can include the information security program plan, risk management strategy, critical infrastructure plan, enterprise architecture, and plan of action processes and milestones.
Risk Assessment (RA)
This control family encompasses the organization’s risk assessment policies and vulnerability scanning. It also describes events that could precipitate an update to risk assessment policy and procedures, such as security breaches, regulation changes, and audit findings.
Security Assessment and Authorization (CA)
The CA family contains controls designed to supplement security assessments, continuous monitoring, system interconnections, authorizations, and plans of action and milestones.
System and Communications Protection (SC)
SC controls outline procedures for protecting systems and communications, such as boundary protection, collaborative computing devices, denial of service protection, and cryptographic protection.
System and Information Integrity (SI)
This family contains controls for protecting the integrity of the system and its information, such as malicious code protection, security alerts, spam protection, flaw remediation, information system monitoring, and firmware and software integrity.
System and Services Acquisition (SA)
The SA family consists of controls that protect the organization’s system development lifecycle and allocated resources. This includes development and configuration management controls, developer security testing and evaluation controls, and information system documentation controls.
Reach Out To Vaultes Enterprise Solutions
For professional guidance navigating the complex requirements of NIST 800-171 and NIST 800-53 and preparing for audits, get in touch with the experienced team at Vaultes Enterprise Solutions. Our cybersecurity experts will analyze your current practices, identify potential threats and devise a plan to help your organization mitigate potential risks. We also provide ongoing support to ensure you remain in compliance after the initial audit.