The National Institute of Standards and Technology (NIST) promotes industrial competitiveness by devising and advancing standards that enhance societal and economic security. As innovations in cyberscience evolve, NIST sets standards that govern how society access and use those digital tools. When entities gain access to “controlled unclassified information” (CUI) released by the federal government, NIST rules require them to maintain specific practices to retain the privacy and integrity of that data. The standards set out in NIST 800-171 establish the base level of computing systems protections required to keep CUI safe.
Any entity that accesses U.S. government data must comply with the standards. A NIST 800-171 compliance checklist is a useful tool for companies intent on becoming or remaining compliant.
Understanding the Framework of NIST 800-171
A methodical approach to becoming and remaining compliant will help your enterprise get up to speed, so a NIST 800-171 compliance checklist becomes a vital tool in the process. The new standards encompass 14 categories of data security requirements, and each of those categories includes a series of substandards. In aggregate, NIST 800-171 contains 110 separate practices or controls, all of which require compliance.
The 14 categories are:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
All of the categories address some form of information control, so the standards set out in each group relate to how the administration of that control within that category will assure the privacy and security of that data. As a whole body, the standards of NIST 800-171 give every entity the guidance needed to safely manage its data (from whatever source) from entry, through use and storage, to deletion.
Additionally, for clarity, it helps to have a clear definition of “CUI:” “Controlled unclassified information” is federally-released, non-military data including personally identifying information (PII), financial data, court records, patents and other sensitive information in which the country holds an interest. Any entity that receives this information must protect the security of that data in all of its systems, including email, content management platforms, cloud- and on-premise-based storage systems, and worker endpoints, such as mobile devices and computers.
Follow a NIST 800-171 Compliance Checklist
To develop and then maintain compliance, experts suggest following a NIST 800-171 checklist to ensure a thorough review for and implementation of the related standard.
1. Identify the relevant data
Start the process by identifying the relevant CUI data held by your organization. Not all enterprise data is CUI so clarify that which is truly ‘CUI’ and where it lives within your system. Finding CUI can be challenging because it requires a whole system analysis, including all hardware (especially employee devices), all systems including those of third-party contractors that have access to your CUI, and all formats of data including voice, email, imagery, etc. Separate your CUI from other enterprise data to avoid confusion.
2. Classify your data
Once identified, you can now classify your data into the relevant NIST 800-171 categories. When you have your information sorted, you can then look to the standards set out in each category to guide your compliance activities.
3. Develop your baseline controls
At a minimum, your company should set controls over how it uses its data and that prevents inadvertent or intentional intrusions. Double authentication practices, for example, are access controls that limit who can see and use your data. Clarify which baselines currently exist regarding each category and build from there toward compliance.
4. Test your baseline controls
Regular testing of each incremental step can help clarify the relative success of your newly-designed data security measures. The vulnerabilities revealed by those tests will guide you to better practices that should marry well with the NIST standards.
5. Assess for risk control
The NIST standards accept as a given that new and threatening risks arise every day. Part of the 800-171 standards is to consistently review systems for new risks that arise from both inside and outside the enterprise. Your security controls should routinely scan for functional, operational or organizational threats and have systems in place to detect, deter or prevent inappropriate intrusions.
6. Generate a written security plan based on your newly devised controls
Your written security plan both guides your enterprise towards compliance and also provides evidence of its effort to be compliant. When written with the NIST standards as its guide, the security plan and its underlying policies should steer your organization toward compliance activities across its divisions that are consistent and reliable.
7. Roll out the plan across your company
Implementing the policies established via NIST 800-171 can be a bigger challenge than developing them. Personnel differ in their interpretation of rules, so clarity about what is expected from each employee is critical to the project’s success. Note also that each of your separate corporate divisions will implement the policies pursuant to their individual mandates and purposes, so flexibility is essential even when compliance is mandated.
8. Monitor your outputs
The true test of the success of your NIST 800-171 compliance checklist is if your enterprise reduces its risks and incidents of security breaches. When all of the NIST standards are in place and implemented, then you should be receiving the data you need to assess the full capacity of its data security practices. Periodic assessments of corporate functions, systems, environments, and information exchanges will keep you apprised of the adequacy of your NIST 800-171 compliance.
Maintaining compliance with relevant government standards is a basic expectation for every company. If you want assistance with staying compliant with NIST 800-171, contact Techwerxe today.