Securing data and meeting compliance regulations regarding that data is one of the most important priorities for a company. Failure to do so can produce catastrophic results. Everything from fines and lawsuits to the loss of federal contracts and even the loss of the business may occur. The National Institute of Standards and Technology (NIST) has put together a publication to help secure Controlled Unclassified Information (CUI). In order to meet these standards and keep data as secure as possible, it’s imperative that an organization understand and correctly implement NIST 800-171. The following is everything a business or IT leader needs to know in order to successfully implement and manage NIST 800-171.

Why is NIST 800-171 so Important?

NIST 800-171 is considered a companion document or guide to NIST 800-53. It provides clear guidelines regarding how contractors of federal agencies should adequately handle CUI. The main goal of NIST 800-171 is to protect controlled unclassified information and reduce the risk of any type of data breach. These guidelines provide many benefits including offering a scalable approach when protecting data, a framework for managing different types of risk, and best practice standards for accessing information. There are three specific areas that it covers.

• Whenever CUI is stored or accessed in any type of organization that is a nonfederal system.
• Whenever CUI is not specifically being used or maintained by a nonfederal organization.
• Whenever CUI doesn’t have any particular laws or regulations in place to protect the confidentiality.

NIST 800-171 is important because it specifies exactly how federal agencies can define data. There is an abundance of data that is sensitive, yet not considered classified under federal law. A few examples of this type of data include a variety of medical records and certain types of financial records that companies normally keep internally. In order to maintain the integrity and security of this type of data, specific guidelines needed to be put in place. The following are some of the organizations that are required to comply with NIST 800-171.

• Contractors working for DoD (Department of Defense).
• Contractors working for NASA (National Aeronautics and Space Administration).
• Any manufacturing company that provides goods for a federal agency.
• Any consulting company that has a federal contract.
• Research organizations and universities that are supported with federal grants.

How Do You Implement NIST 800-171?

There are several things an organization is required to do in order for a complete and successful implementation. It may be a good idea to break implementation down into several manageable steps. The following are the five specific steps that need to be taken to correctly and thoroughly implement NIST 800-171.

1. What Data and Information Does a Company Have that Falls into this category? – The first step is to identify all systems in the network that maintain or transfer all CUI. This type of data might be stored in a variety of areas including local storage, cloud storage, portable devices, hard drives, and endpoints.
2. How Should CUI Be Categorized? – While this may not be necessary for every organization, some companies may want to categorize CUI according to how sensitive different types of information may be. For companies with large amounts or a wide variety of data, a classification system may make it easier to manage and secure data.
3. Who is Able to Access this Data? – The next step is to implement controls regarding who is able to access the data. Data encryption is a necessary part of this process and will help keep unauthorized individuals from accessing this information.
4. How Should Data Be Audited and Monitored? – Controls must be implemented to continually audit and monitor CUI. An organization needs solutions in place that can record and provide ongoing monitoring of all user’s activities. Each company should put procedures in places that make auditing and monitoring as easy and routine as possible.
5. How Should Training Be Implemented? – After data is located, categorized, and managed, each employee that has access to the data must be trained. Training would include specific uses of CUI and the proper way to transfer the information. Use and transfer of all data must be in accordance with the standards provided by NIST 800-171. It’s important to remember that training is not a “once and done” type of thing. Ongoing training to make sure employees are always updated on the latest compliance changes is absolutely necessary.

What are the Requirements?

There are several specific requirements associated with NIST 800-171. A company will need to make sure the following points are all put into place, maintained, and monitored.

• Access Control – Start by evaluating who should and who shouldn’t have access to CUI. As few individuals as possible should be able to have access to this information. It’s also important to limit the number of devices that store information.
• Audit and Accountability – Those who do have access to CUI need to be part of an accountability system. This would include creating an audit trail program that tracks and monitors each individual’s access and handling of specific data.
• Awareness Training – Adequate and ongoing training should be established for all employees. This would include awareness of best practices for cybersecurity, how to identify and handle insider threats, and the knowledge and ability to carry out all responsibilities regarding security.
• Configuration Management – All hardware and software in an organization should have configurations that emphasize strong security. These measures must be maintained even when new updates are released.
• Identification and Authentication – Any users or devices that are trying to access data or a computer system in the company must be authenticated. There needs to be a system in place that monitors and records at all times any person or system trying to access information.
• Incident Response – Every organization needs a detailed incident response plan in place. The plan should include the ability to detect loss of data or intrusions, to analyze each specific incident, contain the incident, document what occurred, and then report the incident to the correct authorities.
• Maintenance – Every computer and device used in an organization should receive ongoing maintenance to keep all systems completely protected and up to date. Lack of proactive maintenance can result in extended downtime or even the unintentional disclosure of sensitive data.
• Media Protection – Media in an information system should be sanitized or destroyed on a regular basis. This process should also include ongoing protection and access controls. Media protection applies to both digital and physical media.
• Physical Protection – On-site physical protection of all information systems is still a critical aspect of security that must be addressed. A security plan and a team of professionals should be in place to physically protect all computers, devices, etc.
• Personnel Security – A specific screening process should be implemented for anyone who has access to CUI. Make sure a process to protect information is in place whenever employees leave the company for any reason.
• Risk Assessment – A company needs to create a risk assessment plan and regularly implement it to assess all risks regarding CUI. A risk assessment plan should be fluid and changed as better ways to assess and handle risks become apparent.
• Security Assessment – Ongoing security assessments are an integral part of keeping CUI secure. Create a plan and procedures for doing this, as well as a timeframe for each assessment.
• System and Communications Protection – Both internal and external boundaries of all information systems in a company should be monitored and protected. These are almost always areas of highest risk in an organization.
• System and Information Integrity – All information systems should be protected from all malware and viruses. Security alerts should be in place and regularly monitored so action can be taken quickly when necessary.

How Can A Professional IT Services Firm Help?

Considering how important the implementation and ongoing management of NIST 800-171 is, making sure it’s handled by IT professionals is crucial. A company that doesn’t completely comply with all aspects of these guidelines can risk losing their federal contracts. There are several specific ways that a managed IT support team can help.

1. Provide Security Training – One of the most important benefits of bringing in a team of IT professionals is that they can provide expert training for every employee in the organization. Employee errors regarding security and compliance can be costly and time-consuming to fix. Employees need to be trained in everything from how to correctly handle CUI to general security issues so they have the ability to safeguard all types of data.
2. Maintain Current and Future Compliance – Compliance for NIST 800-171 for many companies is complicated and time-consuming. Organizations that take the time to learn and implement all the requirements will still likely need assistance to maintain compliance. This is because guidelines and mandates are constantly changing or being updated. Full compliance at all times is necessary or contracts can be canceled. A company that wants to be sure to always stay compliant will want to bring in an experienced IT team.
3. Create Security Plans – Putting together a comprehensive security plan to assess, monitor, and maintain security for all systems in an organization is a massive undertaking. An experienced IT team can put together a security plan as well as intrusion and response steps that are catered to the specific needs of each individual organization. Security plans may include regular vulnerability assessments, determining areas of weakness in a system, looking for patterns of activity that may indicate potential cyberattacks, and behavioral monitoring.
4. Remain in Budget – Hiring an outside IT service means knowing what your security costs will be and including them in a future budget. Tech professionals who have experience keeping companies compliant while monitoring security knows what costs to expect. An in-house team will likely not have the experience or expertise to realistically calculate all costs on a yearly or even quarterly basis.
5. Provide Backup and Disaster Recovery – If there would happen to be a data breach of any sort, decisive action must be taken immediately to minimize damage and remain compliant. An experienced IT company will be able to put together and effectively implement a business continuity and disaster recovery plan specific to each individual company.
6. Offer Ongoing Consulting – The services of a managed IT team will likely prove invaluable in a variety of ways beyond compliance with NIST 800-171. An experienced IT company can offer DFARS and CMMC assessments as well as NIST.
7. Provide Peace of Mind – The time and expense an organization often puts toward maintaining compliance and security is often time and resources taken away from the daily operations of the company. A business can rest assured that all guidelines regarding NIST 800-171 are being met while spending their energy focusing on the goals of the organization.

It may take several months to become completely compliant with NIST 800-171. it’s imperative to bring in a team that can implement and manage the requirements as quickly and smoothly as possible. SSE has over 30 years of experience in the field of technology. Whether it’s managed IT services, cybersecurity, NIST security, IT consulting, or a variety of other technology services, SSE can provide an organization with maximum security, expert training, and the tools to completely implement and comply with NIST 800-171. Contact SSE to get started today.