Pivot Point Security has recently seen a lot of interest in NIST 800-171, with the biggest question being; “How do we get NIST 800-171 compliant/certified?”
NIST 800-171 is a relatively new NIST publication that addresses the requirements for a system to properly protect Controlled Unclassified Information (CUI). The CUI designation and the NIST 800-171 framework are intended to standardize/replace a number of other designations and frameworks that have previously been used to designate and protect this type of “sensitive” information.
The following excerpt from NIST 800-171 does a nice job of summarizing its intent (italics mine):
The purpose of this publication is to provide federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or that provide security protection for such components. The CUI requirements are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations. In CUI guidance and the CUI Federal Acquisition Regulation (FAR), the CUI Executive Agent will address determining compliance with CUI requirements.
To oversimplify the above, NIST 800-171is a way for a federal entity to specify to a vendor its preferred security treatment of CUI information.
As you might imagine, like all NIST documents, it draws on other NIST guidance, including:
- Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality impact)
- Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems
- NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
- NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
NIST 800-171 specifies a group of 114 controls that are deemed Basic and Derived. There is some confusion around NIST 800-171, as the appendices cross-reference it to NIST 800-53 and it references a FIPS-199 Moderate Security categorization, so many were interpreting it to effectively be a NIST 800-53 moderate security categorization, which didn’t make sense to me.
I called NIST and was lucky enough to speak with one of the document’s primary authors, who was knowledgeable and extremely helpful. She confirmed that NIST 800-171 is a confidentiality focused logical subset of NIST 800-53 moderate security categorization, and intended to be simpler to implement than NIST 800-53. She acknowledged that there is some ambiguity to footnote 11 and the appendices, which are intended to simplify implementation and indicate the mapping to NIST 800-53, not to serve as requirements. The only requirements are those listed as Basic (which are from FIPS-200) and Derived (which are derived from 800-53). If you are looking for further clarification, the DIB-WG is the entity with the most experience with NIST 800-171, as DFARS is now specifying NIST 800-171.
The process of becoming NIST 800-171 “compliant” is the process of validating that the required controls are in place and operational. It usually involves establishing the scope of the NIST 800-171 conforming Information Security Management System (ISMS), understanding the risk associated with the CUI data, and ensuring the risk treatments specified by NIST 800-171 achieve or exceed your risk appetite.
Assuming so, a quick gap assessment to identify gaps and a gap remediation effort will get you to “compliant.” If you need to “prove” it more formally, a first-party or third-party audit may be necessary.
If your ISO 27001 certified, the above process likely sounds familiar. If the NIST 800-171 environment is already addressed by your ISO 27001 Scope, it follows the logical flow of any new input into your ISMS: Risk Assess, Risk Treatment Plan, update SOA (as necessary), Gap Assess, Gap Remediate, and then validate the effectiveness of the 800-171 implementation during your Internal ISMS Audit. If there are any, develop CAPs and address them.
During your next ISO 27001 Surveillance Audit, the Registrar will in effect be “certifying” the NIST 800-171 implementation.