How to Comply with NIST 800-171

2
3
4
5
What is NIST?
What Are the Requirements?Agenda
1
Do I Need to Comply?
How Can I Determine If I Am Compliant?
Corserva’s NIST Assessments

What is NIST?
• NIST (National Institute of Standards and Technology) is part of the
U.S. Department of Commerce.
• The National Institute of Standards and Technology (NIST) was
founded in 1901, and is one of the nation's oldest physical science
laboratories.
• Congress established the agency to remove a major challenge to
U.S. industrial competitiveness at the time—a second-rate
measurement infrastructure that lagged behind the capabilities of
the United Kingdom, Germany, and other economic rivals.
• The Information Technology Laboratory (ITL) at the National
Institute of Standards and Technology (NIST) promotes the U.S.
economy and public welfare by providing technical leadership for
the nation’s measurement and standards infrastructure.
NIST Defined

What is NIST SP800-171?
• NIST Special Publication 800-171 (originally created in June 2015
and updated in December 2016) specifically covers the protection
of “Controlled Unclassified Information” (CUI).
• The requirements recommended for use in this publication are
derived from FIPS Publication 200 and the moderate security
control baseline in NIST Special Publication 800-53.
• NIST Special Publication 800-53 covers security controls for US
federal information systems except those related to national
security.
• The requirements and security controls have been determined over
time to provide the necessary protection for federal information and
systems which are covered under FISMA (Federal Information
Security Modernization Act of 2014).
NIST SP800-171 r1

What is CUI?
• Controlled Unclassified Information, “CUI” is defined as information
created by the government, or an entity on behalf of the
government, that is unclassified, but needs safeguarding.
• CUI is information that is sensitive and relevant to the interests of
the United States and potentially its National Security, but not
strictly regulated by the Federal government.
• Unclassified Information which is stored on “Covered Contractor
Information Systems.”
Controlled Unclassified Information

Examples of CUI
• Email
• Electronic files
• Blueprints, drawings
• Proprietary company/contractor information
• Physical records (printouts)
Controlled Unclassified Information

Do I Need to Comply?
• Entities that deal with government controlled unclassified
information must comply.
• Typical entities with this kind of information include universities,
research institutions, consulting companies, service providers, and
manufacturers.
• Many manufacturing companies are either prime contractors or sub
for prime contractors for various government contracts. These
entities will almost always have CUI on premise or in cloud/provider
based systems and applications.
• Manufacturers must be compliant with NIST 800-171 by
December 31, 2017.
Is Compliance Mandatory?

Have I Been Notified?
• If you are a manufacturer, you may get notified by a prime
contractor or subcontractor stating that you need to comply with
NIST 800-171 by December 31st of 2017.
• Notification can come directly (mail or email) or can come as a
notification within a portal.
• You may not get notified at all.
Is Compliance Mandatory?

NIST 800-171 Family of Requirements
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Configuration Management
3.5 Identification and
Authentication
3.6 Incident Response
3.7 Maintenance
NIST Requirements Family
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12 Security Assessment
3.13 System and Communications
Protection
3.14 System and Information Integrity

Defining the NIST 800-171 Requirement
Four types of data management requirements:
1. Controls
Data management controls and processes
2. Monitoring/Management
Real time monitoring/management of defined IT systems
3. End User Practices
Documented, well defined end-user practices and procedures
4. Security Measures
Implementation of defined security measures
NIST Requirements

NIST 800-171 Requirement: Controls
Controls Requirements
• Assess and develop appropriate security controls
• Development of Formal Policies and Procedures
• Creation and maintenance of audit records regarding access to CUI
• Secure transmission of data including encryption
• Encryption of data at rest
NIST Requirements: Controls

NIST 800-171 Requirement: Monitoring/Management
Monitoring/Management Requirements
• Monitor and manage user access to information systems
• Authenticate users and utilize multi-factor authentication
• Establish an operational incident management process
• Patch critical systems and scan for vulnerabilities
• Deploy anti-virus/malware solutions and monitor activity
• Monitor network traffic for malicious activity
NIST Requirements: Monitoring/Management

NIST 800-171 Requirement: End User Practices
End User Practices Requirements
• Training and awareness of end users and system administrators on
proper procedures for handling CUI
• Management must define and execute minimum password
complexity compliance
NIST Requirements: End User Practices

NIST 800-171 Requirement: Security Measures
Security Measures Requirements
• Assess and develop appropriate security controls
• Secure backup of CUI
• Create and enforce policies to prevent unauthorized software
• Identify, track, and restrict access to network/application ports
(firewall/systems)
NIST Requirements: Security Measures

Summary of NIST 800-171 Requirements
NIST Requirements: Summary

How Can I Determine Compliance?
The easiest route to determining your compliance status is an assessment by an
outside 3rd party.
The assessment should consist of three phases:
1. information gathering
2. data analysis
3. preparation of findings for presentation to management
From this assessment, you will have a specific roadmap to follow in order to achieve
compliance.
Determining Compliance

What Does a NIST Assessment Project Look Like?
• Several stages involved:
• Business process review
• Technical assessment (systems and network)
• Data analysis
• Post assessment: plan for ongoing validation on a regular basis
What Can You Expect

About Corserva
 Founded in 1985 as a division of the Dun & Bradstreet Corporation
 Focused on providing advanced technology solutions to mid market and enterprise clients
 Managed Services include IT Managed Infrastructure, Managed Security, and Backup/Recovery
 Life Cycle services include full life cycle management for all IT devices
 Cloud Services including Private Cloud and Hybrid Cloud
 Experienced, trained and certified engineers in every major IT discipline
 Finely tuned operations capabilities, including 24 X 7 network operations and security monitoring
 All services supported by two highly certified data centers (HIPAA and PCI compliance)
 A number of clients in the manufacturing sector
 Experienced provider of IT assessments including those for NIST and HIPAA
www.corserva.com

How to Comply with NIST 800-171

How to Comply with NIST 800-171

In this document

More Related Content

What's hot

Similar to How to Comply with NIST 800-171

Recently uploaded

How to Comply with NIST 800-171