Understanding NIST 800-171 and what it means for Government Contractors

What is NIST 800-171?

The NIST (National Institute of Standards and Technology) 800-171 is a federal regulation that was issued Dec 1, 2016 to help control the safety and security of CUI that resides in nonfederal systems.

What is CUI?

Controlled unclassified information, also known as CUI, is federally released, non-military data including personally identifying information (PII), financial data, court records, patents and other sensitive information that must be kept private but doesn’t require a high-level security clearance to view.

Any company that receives CUI must protect the security of that data in all of its systems, including email, content management platforms, cloud-based storage systems, and employee-access management points, such as mobile devices and computers.

Do I have to comply with NIST 800-171?

The security requirements associated with NIST-800-171 apply to all systems within nonfederal organizations that process, store, or transmit CUI, or provide security protection for such components. NIST 800-171 is intended for use by federal agencies in contracts with nonfederal organizations. If your business supplies any type of service to the government you must comply and if you do not comply you cannot work with government.

Why do government contractors have to comply with NIST 800-171?

With the uptick in breaches, the government decided there needed to be more protection against breaches and hacks. While the government works hard to protect classified information, they also need to protect information that they use and need from other agencies, vendors and government contractors to accurately and fully function. Protecting this information can be crucial to avoiding attacks against your business and the federal government. Identifying weakness can help protect information from being compromised and business operations to continue.

How do I handle NIST 800-171?

While there are requirements that need to be met for NIST 800-171 compliance there is no set way to executing them. This means if you’d like to aim for compliance with a mixture of internal employees and software you may do so. And conversely, if you have no interest in learning all the ins and outs or how to manage it internally

you may also hire a professional to do it for you.

If you do plan to do it internally, within your company. Here are a few things to keep in mind:

  • Document everything you do and know how to explain it all and how it is protecting CUI.
  • Make sure the people you chose to manage this task know they have to continuously address compliance and any issues you may have along the way. Cybersecurity is an ever-evolving issue and will need to be continuously monitored. It is not a set it and forget it type of task.
  • Keep yourself and your team up to date on regarding changes that affect NIST 800-171 and CUI classifications. As with any new regulations, changes are bound to be implemented over time.
  • Know if any breaches or even suspected hacks have occurred you must report it so that the federal government is aware that data may be comprised.
  • There is no official, formal way to implement NIST 800-171 but you must make sure you have proof you are doing something to protect CUI and that it works.

What other NIST 800-171 info do I need to know?

If making sure you are compliant with NIST 800-171 is something you’d rather a professional manage for you, there are many IT security companies who can help with this component of government contracts.

But, if you’re looking for further resources to work on it yourself or work with an outside expert on there are additional resources to help you put a plan together and make sure it is something that is documented, can be reported and even presented during an audit here. They can be found under “Supplemental Material” on the right-hand side.

If you have further questions or would like to discuss what options you have to make sure your IT security is complaint with NIST 800-171 you can always schedule a call or email Left Brain Professionals. We’re happy to help provide any answers or information we can to help your business.

Related Posts