What Is NIST 800-171 and Why Should You Care?
In this increasingly digital world where our data is collected and mined seemingly everywhere, should we still be surprised why cyber attacks and data breaches have become more commonplace? Cybercriminals have become more sophisticated than ever, and as businesses, have a responsibility to protect all data we collect from customers, suppliers, and business partners as best we can.
That responsibility is even more paramount when you have in your possession sensitive but unclassified information (or CUI) that, if breached, can compromise the interests of the federal government.
NIST (National Institute of Standards and Technology) developed the NIST 800-171 protocol for this reason.
However, many organizations are struggling to make heads or tails of the compliance guidelines outlined in the special document—mostly because identifying a piece of data as CUI can be a little tricky.
Here at Network Security Associates (NSA), we get asked about NIST 800-171 and CUI a lot.
In this blog post, we address some of these common questions and even provide our recommendations. But first, let’s talk about the data the NIST 800-171 protocol was built to protect—CUI.
What is CUI?
The U.S. government defines Controlled Unclassified Information (CUI) as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
Simply put, CUI is any data that is potentially unclassified and sensitive. This data requires protection and proper handling due to their sensitive nature and relevance to the interests of the federal government. Examples of CUI would include legal documents, email attachments, blueprints, technical information, and more.
We need to protect CUI for one simple reason: If placed in the wrong hands, this sensitive information may compromise the integrity of our institutions and the safety of the general public.
How do you know if you have CUI in your systems?
If your company is providing services to the DoD or any federal agency, then chances are you’re storing and processing CUI in your systems. As such, it is your responsibility to classify this information as CUI and carry out the necessary measures to keep it secure and protected.
The problem with CUI is that it’s so broad in scope, making it difficult for organizations to determine exactly if a piece of information is CUI or not. It’s so broad in fact that it can be broken down into 20 main categories (with subcategories to boot). To help you identify CUI in your systems, here’s the list of CUI categories as provided by NIST:
- Critical Infrastructure
- Export Control
- International Agreements
- Law Enforcement
- Natural and Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Procurement and Acquisition
- Proprietary Business Information
What is NIST 800-171?
NIST 800-171 is a set of cyber protection guidelines published by the National Institute of Standards and Technology that standardizes how federal contractors handle and protect CUI. Developed following FISMA’s enactment in 2003, NIST 800-171’s was published to protect this data from emerging cybersecurity threats.
What will happen if you don’t comply with NIST 800-171?
Failure to comply with CUI requirements outlined in NIST 800-171 may have negative repercussions for your business. For one, non-compliance can result in the termination of your government contracts, not to mention ruin your reputation as an organization.
Moreover, failure to secure and protect sensitive data makes you culpable for negligent action, which could result in hefty fines, contract lawsuits, and even criminal charges.
How do you stay compliant?
Many organizations feel that NIST 800-171 is overwhelming and complicated, so much so that the mere effort of trying to stay compliant is putting a strain on their time and resources.
Want to get up to speed in your efforts to stay compliant with NIST 800-171? Adopting a methodical approach would help.
Thankfully, NIST has outlined a checklist that will help organizations stay compliant with ease.
- Find and identify CUI. Locate CUI data within your systems and isolate them from enterprise data.
- Categorize your CUI. Classify your CUI data in the appropriate CUI 800-176 categories.
- Develop a baseline for the controls required to protect CUI. Establishing a baseline of controls lets you use your data based on the level of risk your organization is exposed to.
- Test your baseline controls. Testing your baseline can help you determine the efficacy of your security measures.
- Conduct risk assessments to deter or detect cyberthreats. Risk assessments allow you to identify gaps and issues that can help you find appropriate measures towards compliance.
- Develop a security plan based on the baseline controls you have established. This will serve as a foundation for the policies that will determine your compliance roadmap.
- Roll out the plan to your information systems. Make sure your goals and timelines are in place before implementation.
- Continue to monitor your security controls. Conduct regular assessments to ensure that your security measures are helping you stay compliant.
Need help staying compliant with NIST 800-171 guidelines?
If you haven’t paid close attention to NIST compliance guidelines before, now is the time to do so. Because let’s face it—the threat of cybersecurity attacks and data breaches is ever looming, and you’ll be putting your business at risk if you don’t do something about it.
With that said, we know how difficult and overwhelming compliance can be if you don’t have the right tools and expertise. The NSA team will be more than happy to take these challenges off your plate so you can focus on what you do best—taking care of your customers. We offer comprehensive cybersecurity assessments, compliance management services, and managed security IT services to help you stay on top of your cybersecurity needs.