NIST 800-171: Who Needs To Comply?
The National Institute of Standards and Technology Special Publication 800-171 outlines the standards by which non-classified government data is handled by contractors and their supply chain. The National Institute of Standards and Technology is a federal laboratory for physical sciences and an agency of the Department of Commerce with the purpose of promoting American innovation.
Any company that acts as a contractor for a federal agency or is part of the supply chain may need to comply with NIST 800-171. Unlike cmmc compliance which requires a certification for higher levels of sensitive or classified information, compliance with NIST 800-171 does not require audits and certification.
CMMC certification is available at lower levels to comply with the standards. The information that falls under NIST 800-171 is called Controlled Unclassified Information and may contain data on schematics, personnel, contractors, and other information that may not have a classification but could be used in industrial and other types of espionage.
What Does NIST 800-171 Include?
There are 14 protocols that outline compliance with the NIST 800-171 standards.
- Access Control: Who can view this data?
- Awareness and Training: How are people trained to use the data?
- Audit and Accountability: What access records are kept and how are violators identified?
- Configuration Management: How are the network and safety protocols handled and documented?
- Identification and Authentication: How do users identify themselves when logging into the system and accessing the information?
- Incident Response: What processes are used in a breach?
- Maintenance: When and how often does maintenance happen? Can other users access the system during maintenance?
- Media Protection: How are backups stored and who can access those backups? Are physical copies accessible?
- Physical Protection: Who has physical access to the system and storage?
- Personnel Security: What employee screening processes are in place before granting access to the system?
- Risk Assessment: How is the system tested and risks determined?
- Security Assessment: How often are protocols evaluated and reassessed?
- System and Communications Protection: How is data transmitted and security protocols monitored?
- System and Information Integrity: How effective are the systems and security personnel at detecting, identifying, and repelling threats?
Why Is Compliance with NIST 800-171 Important?
NIST protocols ensure that Controlled Unclassified Information is protected by uniform standards and those who use that data are following those standards. If a contractor or organization within the supply chain does not comply with NIST 800-171, they may lose their contracts with government organizations or damage those relationships. Compliance can have other benefits, such as safeguarding proprietary company data and other private information that may be of interest in a data breach.
Please read- What Is the Best Way To Protect Your Data?
How Does Your Business Become Compliant?
Government and contractor relationships may have made businesses aware that they have Controlled Unclassified Information, but any business with government or supply chain relationships should seek NIST compliance. If your business takes all the steps to comply with NIST 800-171, then it can attest to that compliance and that is all that is needed. This process can take less than a year but may require upgrades or changes to your system. A NIST 800-171 scoring tool may help your company identify where your processes and systems need to be updated.
Achieving and maintaining NIST compliance can be difficult for smaller organizations and businesses. Your organization may want to consider hiring a compliance expert who will guide you through both the implementation of the standards and continued compliance.
With the increasing complexity of compliance requirements, the spotlight on data sensitivity such as CUI, and the seriousness of potential security breaches, it has become increasingly important to protect data in any organization. By complying with NIST 800-171, your organization can protect sensitive information and maintain positive relationships with government agencies.