NIST 800-171 and the protection of Controlled Unclassified Information (CUI)
If you access or create Controlled Unclassified Information (CUI) as part of your business dealings with the US government, you must comply with the NIST 800-171 cybersecurity standard. This applies even if you have international cybersecurity certifications such as ISO 27001 or SOC 2.
In this article, we present the NIST 800-171 standard.
What is NIST 800-171
NIST 800-171 is a US government cybersecurity standard. It consists of 110 security controls that provide requirements for protecting sensitive unclassified information (commonly known as CUI - Controlled Unclassified Information). Examples of CUI include the architectures or diagrams needed to manufacture a military device, or the results of research initiated by the U.S. government. NIST 800-171 defines the security measures required to protect this information against internal and external threats.
- NIST 800-171 domains
The 110 security requirements of NIST 800-171 are organized into 14 domains. They are as follows:
- Access Control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- Systems and communications protection
- Systems and information protection
No equivalence with other cybersecurity standards
NIST 800-171 is much more rigorous than most cybersecurity certifications on the market.
There is currently no cybersecurity standard considered equivalent to NIST 800-171. Security certifications on the market (e.g. SOC 2, ISO 27001, Cyber Security Canada, etc.) do not cover all the points required by NIST 800-171.
If you're required to comply with NIST 800-171, you'll need to implement each of the standard's requirements, otherwise you won't be compliant.
Security policies are mandatory to comply with NIST 800-171
To comply with NIST 800-171, it's not enough to have security tools in place. You must also have security policies that are documented, approved and periodically reviewed. Examples: security incident response policy, access control policy, etc.
Every requirement contained in a policy must be verifiable, and you must provide proof that the requirement has been met.
The SSP (System Security Plan) is a MUST
One of the key deliverables of NIST 800-171 is the SSP, which can be likened to the organization's overall security policy. The SSP gives an idea of the NIST 800-171 requirements met by the company.
The SPRS (Supplier Performance Risk System) score
When you are awarded a U.S. government contract involving the use or creation of CUI, you may be asked to submit your SPRS score. Some of your partners may also require you to submit your SPRS score. This score is obtained after a gap analysis between your security level vs. NIST 800-171.
Having a SSP is mandatory to submit your SPRS score.
Link between NIST 800-171 and CMMC
CMMC certification is derived from NIST 800-171. It includes the 14 domains of NIST 800-171, plus 3 additional domains (17 domains in total for CMMC).
Evaluate your readiness for CMMC or NIST 800-171 compliance
We've created a form to help you assess your level of readiness for CMMC or NIST 800-171 compliance.
How StreamScan can help you with your CMMC compliance process
Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process. We are experts in CMMC and NIST 800-171.
Our cybersecurity experts are available to support you in your CMMC or NIST 800-171 compliance process. We regularly help organizations determine and submit their SPRS score to the U.S. Department of Defense (DoD).
For more details on our CMMC and NIST 800-171 service, visit this link.
Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.