NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. The current DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is required in all DoD contracts (except commercial-off-the-shelf or COTS).

DoD contractors are required to “self certify” all “covered contractor information systems,” which are generally those that store, process, generate, transmit or access DoD-related controlled unclassified information (CUI), which DoD terms “covered defense information.”

The DFARS clause 252.204-7020 designates the NIST 800-171 DoD Assessment Methodology to address perceived flaws in this self-certification process.

The NIST 800-171 Methodology involves three levels – Basic, Medium, and High – which reflect the level of confidence DoD has in the assessment and uses a scoring methodology that takes into account how many of the 110 NIST SP 800-171 controls a contractor has fully implemented.

Who must be NIST 800-171 compliant?

Any DoD contractor doing business (including subcontractors) with the DoD that processes, stores, or transmits CUI.

DO NOT RISK LOSING DOD CONTRACTS


Consequences of not complying with NIST 800-171 security requirements

If a DoD contractor does not complete a NIST SP 800-171 assessment, they may be removed from consideration in DoD procurements. Furthermore, subcontractors may be removed from consideration with prime contractors teams..

Does NIST compliance apply to subcontractors?

Yes. Defense Industrial Base (DIB) DoD contractors must flow-down these requirements to all subcontracts (except those for COTS items). A contractor may not award a subcontract unless the subcontractor has a current assessment in the SPRS. Because contractors only have access to their assessment information, prime contractors may need to rely on subcontractor’s certifications as proof of NIST 800-171 compliance.

How to comply with NIST 800-171 framework

Conduct a NIST SP 800-171 self-assessment either internally by the company or via a service provider.

How long does a NIST assessment take

These assessments vary in length depending on multiple factors, including, but limited to:

Diagnose.

Amount and type of CUI used, where the systems using it are located.

Remediate.

Maturity of the company’s security infrastructure.

Comply.

Availability of existing security infrastructure data, policies, and procedures.

Basic Assessments

NIST 800-171 assessments may be conducted at one of three levels:

  1. Basic
  2. Medium
  3. High

Basic Assessments will be required in new contract actions, including option exercises, after November 30, 2020. The Basic Assessment results in a confidence level of “Low” because it is a self-generated score. After a contract is awarded, DoD may choose to conduct a Medium or High Assessment of a contractor “based on the criticality of the program or the sensitivity of the information being handled by the contractor.”

A Basic Assessment is a self-assessment by federal contractors using the NIST 800-171 DoD Assessment Methodology. A company that has fully implemented all 110 NIST SP 800-171 security requirements would receive a score of 110 to report in the SPRS for its Basic Assessment. Within 30 days of conducting the Basic Assessment, contractors must provide via SPRS their summary level score and the date when the contractor will address any gaps in the 110 requirements.

NIST 800-171 Framework

1. Access Control

Access Control defines the ability to make use of any system resource. Who has the authorization to view this data?

2. Awareness and Training

Awareness and Training shows system users their security responsibilities and provides continuous education around correct security practices. The training helps change user’s behavior. It also supports individual accountability, which is one of the most important ways to improve information security and prevent a data breach. Without knowing the necessary security measures or how to use them, users cannot be truly accountable for their actions. The purpose of information security awareness, training, and education is to enhance cybersecurity compliance by educating users on best practices.

3. Audit and Accountability

Audit and Accountability assesses the adequacy of cybersecurity requirements and ensures compliance with established policies and operational procedures. An audit trail is a way of recording individuals who have accessed a system and operations that the user has performed during a given period. Audit trails are helpful. They maintain a record of system activity both by system user activity of systems and applications. Examples of audit and accountability requirements include audit events, time stamps, nonrepudiation, protection of audit information, audit record retention, and session audit. Companies should create, protect, and retain system audit records to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity and ensure that actions of users can be uniquely traced to those users so they can be held accountable.

4. Configuration management

Configuration management focuses on the integrity of information technology systems through the control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the System Development Life Cycle (SDLC). It establishes the development and implementation of a system to include security, and sets out a path for governance of any changes through a change control board.

5. Identification

Identification is the means of verifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system. Both identification and authentication provide a technical structure that prevents unauthorized individuals or processes from entering a system. This is critical as it provides the basis for access control and for establishing user accountability. Authentication may be established in a variety of ways such as passwords, biometrics, and physical tokens (e.g. ID card.)

6. Incident Response

Incident Response defines how an organization responds in a coordinated manner to a cyber attack. Planning for incidents closely resembles contingency planning focused on reacting quickly to disruptive events. Incident response for cybersecurity incidents/breaches are very broad in scope and should be tailored to the appropriate level of potential disruption.

7. Maintenance

Maintenance is developing processes and procedures to ensure a system and/or infrastructure operates in good working order.



8. Media protection

Media protection involves the defense of system media, such as external/removable hard disk drives, flash drives, compact disks, and digital video disks. These protections should focus on restricting restrict access to the appropriate authorized levels. This also includes physically controlling system media and ensuring accountability, as well as restricting mobile devices capable of storing and carrying information into or outside of restricted areas.

9. Physical Security

Physical Security relates to the physical and environmental security measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.

10. Personnel Security

Personnel Security involves users, designers, implementers, and managers. It defines how these individuals interact with the system and the level of access they need to do their jobs. That level of access directly impacts the system’s security posture. The focus is to minimize the risk that staff (permanent, temporary, or contractor) pose to company assets through the malicious use or exploitation of their legitimate access to the company’s resources.

11. Risk Assessment

A risk assessment identifies how vulnerabilities may compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. These assessments should inform company decision-makers and support risk responses by identifying relevant threats to organizations or threats directed through organizations against other organizations, vulnerabilities both internal and external to organizations, impact (i.e., harm) to the company that may occur given the potential for threats exploiting vulnerabilities, and the likelihood that harm will occur.

12. Security assessment

Security assessment focuses on the testing and/or evaluation of the management, operational, and technical security requirements on a system. It is designed to identify if the security structure is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This protection provides an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. Providing this type of protection prevents the presentation of system management-related functionality on an interface for non-privileged users.

13. System and communications protection

System and communications protection also establishes boundaries that restrict access to publicly accessible information within a system. Using boundary protections, a company can monitor and control communications at external boundaries as well as key internal boundaries within the system. Examples of system and communication protection requirements include application partitioning, denial of service protection, boundary protection, trusted path, mobile code, session authenticity, thin nodes, honeypots, transmission confidentiality and integrity, operations security, protection of information at rest and in transit, and usage restrictions. These requirements focus on guarding against improper information modification or destruction and includes ensuring information nonrepudiation and authenticity. At it’s core it focuses on ensuring that data can only be accessed or modified by the authorized employees.

14. System and Information Integrity

System and Information Integrity. At it’s core the focus here is preventing improper information modification or destruction. This also includes ensuring information authenticity. Successful system and information integrity lies in ensuring that data can only be accessed or modified by authorized employees. In doing so, an organization is provided assurance that the information being accessed has not been impacted with or damaged by an error in the system. Some notable examples include flaw remediation, malicious code protection, security function verification, information input validation, error handling, non-persistence, and memory protection.

When did NIST take effect?

On September 29, 2020, the Department of Defense (DoD) released an interim rule guiding DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework. The rule became effective on November 30, 2020.

The interim rule

The interim rule essentially highlights requirements for confirming that government contractors are currently NIST 800 171 compliant with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). DoD has implemented this as a multi-phase approach to assess and verify the contractors’ ability to CUI . These two phases are:

Compliance assessment using the NIST 800-171 DoD Assessment Methodology in the near term
Certification under the CMMC Framework as longer-term remediation.

Functions

There are five functions that constitute the basic cybersecurity tasks within the NIST Cybersecurity Framework

  1. Identify
  2. Detect
  3. Protect
  4. Respond
  5. Recover

Differences between NIST and CMMC

A NIST SP 800-171 assessment is a self-assessment whereas a CMMC audit is conducted by a third party. 800-171 assessments allow for a 60 day Plan of Actions and Milestones (POAM) to alleviate gaps whereby a CMMC audit does not.