If you’re a federal government contractor or executive agency, then you’ve likely dealt with unclassified information. Before the introduction of the NIST 800-171, how this information was handled different from contractor to contractor. This was a problem, as some unclassified information contains sensitive information. The NIST was created to standardize the process of handling sensitive data.
What Is NIST 800-171 and Why Should You Care?
Put into effect on December 31, 2017, the NIST 800-171 is a set of guidelines that standardizes how executive agencies and federal government contractors protect controlled unclassified information (CUI). Published by the National Institute of Standards and Technology, the document’s purpose is to ensure the safety and confidentiality of this data. NIST 800-171 compliance is mandatory for all entities that handle sensitive information from the government and is enforced by the Department of Defense.
As cyberthreats continue to evolve, so have the 800-171 requirements. In fact, the 800-171 was revised multiple times before ultimately being replaced by the NIST SP 800-171. This version of the document is the most updated form of the current regulations.
What Information Is Considered CUI?
Although CUI is not designated as classified, it’s not meant for public eyes either, as it can contain personal information or other sensitive data. CUI covers a wide range of information that is separated into 20 different organizational categories that range from critical infrastructure to transportation. If you’d like to see the full in-depth list, you can visit the National Archives website.
Administrative and Technical Requirements
All of the requirements found in the NIST SP 800-171 can be divided into two categories—administrative and technical.
- Administrative: Any of the regulations that fall into this category deal with what you as a contractor or an executive agency must do to prevent incidents. This can include reviewing procedures, reporting vulnerabilities, and maintaining hardware.
- Technical: The other half of the regulations apply to the technical aspect of protecting data. Since a lot of data is in digital form, technological solutions are needed to take care of the storage and transfer of information over the internet. These standards provide rules on limiting access, creating reports, and beefing up cybersecurity.
What This Means for You
As a federal government contractor or executive agency, you’ll be responsible for following the guidelines listed under the NIST SP 800-171. To remain compliant, here are some steps that you can follow.
- Locate: Identify areas in your network that contain CUI. This may include files found in local storage, cloud storage, or even hard drives.
- Categorize: Separate files that contain CUI from files that don’t. This will streamline the process of proving compliance with NIST 800-171 if an audit is needed.
- Limit Access: Limit who has access to files that contain CUI. Also, put expiration dates on folders and files that contain CUI so they can’t be accessed after a project is completed.
- Encrypt: Don’t forget to encrypt all of your data. Encryption is helpful, as it adds an extra layer of security without disrupting authorized users’ ability to transmit data through services such as email or file transfer protocol (FTP).
- Monitor: The NIST 800-171 requires contractors to ensure that the actions of individual users can be traced so they can be held accountable. That’s why it’s important to monitor who’s accessing your network at all times so you know who is accessing CUI and how they are using it.
- Train: Employees who are properly trained in the fundamentals and best practices of compliance are more aware of security risks and less likely to succumb to cyberattacks that could result in data breaches.
- Assess: Conduct an assessment of your infrastructure. This will give you insight into any shortcomings in your network security.
As it can be difficult to maintain compliance on your own, many organizations tend to rely on the help of a third-party IT provider. A good IT provider can make implementation and compliance with these requirements an easier and more manageable task.
Maintain Compliance With SSE
At SSE, we’ll help you remain compliant with NIST SP 800-171. Our robust security processes and compliance standards are designed to keep your network safe and secure from external threats. If you would like to learn more about our services, give us a call today!