NIST SP 800-171 most recent revision
In February 2020, the National Institute of Standards and Technology (NIST) released the second revision of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This revision coincides with the Department of Defense (DoD) release of its Cybersecurity Maturity Model Certification (CMMC) requirements that are necessary for companies that want to bid on DoD contracts. With the Defense Industrial Base (DIB) hustling to meet these new requirements, what you need to know about NIST SP 800-171 becomes more important than ever.
What is NIST SP 800-171?
NIST SP 800-171 sets out guidelines for how companies that maintain nonfederal systems must protect sensitive federal information. The Special Publication defines Controlled Unclassified Information (CUI) as “any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls.” Additionally, the SP explains that to help companies appropriately classify CUI, the federal government established the CUI Registry to remove “inconsistent markings, inadequate safeguarding, and needless restrictions.” The CUI Registry creates standard procedures and common definitions for managing this data.
What are Basic Security Requirements?
Basic security requirements come from Federal Information Processing Standards (FIPS) Publication 200, “Minimum Security Requirements for Federal Information and Information Systems.” According to FIPS 200, the minimum security requirements offer baselines for protecting the confidentiality, integrity, and availability of federal information systems and the data that they process, store, and transmit. They cover the following 17 security-related areas:
- Access control
- Awareness and training
- Audit and accountability
- Certification, accreditation, and security assessments
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Physical and environmental protection
- Planning
- Personnel security
- Risk assessment
- Systems and services acquisition
- System and communications protection
- System and information integrity
What are Derived Security Requirements?
Derived Security Requirements come from NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.” SP 800-53 establishes security and privacy controls across 20 families. 17 of these families map directly back to FIPS 200. However, the three new control families that supplement FIPS respond to new federal mandates answer to new problems. These are:
- Program management
- Processing and transparency
- Supply chain risk management
What are the NIST 800-171 control requirements?
As if cross-referencing FIPS 200 and SP 800-53 wasn’t confusing enough, NIST 800-171 only has 14 control areas that combine all the 20 controls and control families from the other two. The 14 categories of requirements are:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
Understanding where DISA STIGS help meet NIST 800-171 compliance requirements
The Defense Information Systems Agency (DISA) Security Technical Implementation Guidelines (STIGs) set configuration standards for securing DoD information. They provide technical guidance for locking down information systems and software, attempting to mitigate data breach risks.
As part of your company’s need to meet NIST 800-171 compliance, and ultimately CMMC compliance, you should consider using STIGs as part of the configuration management category. For example, DISA STIGs can help you establish secure configurations that enable compliance with the following Basic Security Requirements:
- 4.1: Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- 4.2: Establish and enforce security configuration settings for information technology products employed in organizational systems.
SteelCloud’s automated STIG solution streamlines NIST 800-171 compliance
SteelCloud’s STIG automation helps you streamline your configuration management processes so that you can meet NIST 800-171 compliance requirements faster. Our unique, patented technologies remove the barriers associated with maintaining STIG compliance.
Our ConfigOS incorporates two distinct pieces of software: the Foundry and the Command Center. Within Foundry, you create, edit, and publish your policies. Command Center then scans your environment and sends back a report indicating your current compliance level. With the click of a button, you can run our automated remediation process which fixes any non-compliant configurations while also ensuring that no conflicts exist. This gets your environment secure and compliant faster, without leading to any downtime.