In recent years, many organizations have been affected by data breaches due to the loss or improper safeguarding of sensitive data.
NIST 800-171 was created to help government contractors and subcontractors minimize their cybersecurity risk and protect their networks and the confidentiality of controlled unclassified information (CUI), but the problem is that NIST compliance requirements are complex and there's a lot of information out there on how to become compliant.
It can be hard for you or your team to know where to start or what steps need to be taken first in order to achieve compliance.
If you're not careful, you might end up spending more time, money, and resources taking the wrong approach, which could harm your business instead of protecting it from cyber threats.
Do you know what NIST 800-171 is and how it applies to your organization?
This NIST 800-171 compliance checklist will help guide you through the 14 main areas of focus within NIST SP 800-171, give you an 8 step process to achieve NIST compliance, and share 8 best practices when preparing for an audit.
NIST 800-171 Requirements Checklist
In 2017, the National Institute of Standards and Technology (NIST) released Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.
This publication provided guidance on protecting unclassified information from unauthorized disclosure by implementing specific security requirements. To learn more about NIST policies and standards, click here.
The first step towards compliance is understanding the 14 security families mentioned in NIST SP 800-171 and the purpose of each of these main focus areas when it comes to protecting controlled unclassified information (CUI).
1. Access Control
By controlling who has authorization in the first place, you can keep out everyone who doesn’t need to access the data. You can restrict access for each part of your network.
If someone gets into a place where they don’t belong, you can automatically terminate their session and kick them out. In addition, you should limit how many unsuccessful login attempts each user gets in an effort to prevent hackers brute-forcing your server.
2. Awareness and Training
To handle the human side of things, your organization should focus on some awareness and training. A big part of cybersecurity revolves around the users. Ensure your staff knows the cybersecurity risks and how to mitigate them as they use devices on the network.
3. Audit and Accountability
When an event occurs, there might be an investigation. To save time and effort, you should have a consistent auditing and accountability portion of your business. This includes creating, reviewing, and retaining system-level logs and records. Create an alert in case the logging process fails.
4. Configuration Management
In this part of the checklist, you should establish and maintain a series of configurations for all the systems within your organization. Having the right security configuration settings will make your business safer. Utilize policies like blacklisting, whitelisting, and restriction of nonessential programs and services.
5. Identification and Authentication
Your system needs to confirm the identity of all the users before allowing access. In the cybersecurity world, this is called authentication and identification. It’s the process of verifying each user, device, and process that’s used. Implement multi factor authentication for better results.
6. Incident Response
The first task is to create a process for handling incidents. This includes preparation, analysis, detection, recovery, containment, and user responses. From there, be sure to track and test your organization’s capabilities.
Regular maintenance will keep your network as secure as possible. When equipment is replaced or updated, wipe the removed equipment and remove all CUI. Whoever performs your maintenance, typically a system administrator should have to go through multiple identity checks to ensure the power doesn’t get transferred to the wrong person.
8. Media Protection
Personal media is a big weakness for most companies. USB flash drives can be used to upload malware, steal files, and gain access to your whole network. As such, you should protect your system from media like this.
In addition, you’ll want to restrict CUI access via media. Any in-house media that’s used should be marked with the necessary CUI and their use should be controlled.
9. Personnel Security
The first step of personnel security involves a screening and background check of incoming employees. The final step is the removal of permissions when an employee gets terminated or transferred. They shouldn’t be able to access any CUI unless they are currently in a role that needs it.
10. Physical Protection
Physical interaction with servers, documents, and media is very dangerous. If a criminal can get physical access to a device on your network, they have a good chance of forcing their way into your network.
Whenever someone accesses a room that stores physical media, they should sign a log. All physical access devices should be controlled and properly managed.
11. Risk Assessment
Perform and maintain routine risk assessments. This will help you identify vulnerabilities that should be remediated as soon as possible.
12. Security Assessment
The same is true for your company’s security. You should have a robust plan of action for identifying, eliminating and reducing all vulnerabilities. Update the system security plans regularly to keep them up-to-date.
13. System and Communications Protection
It’s easy for an employee to accidentally share information with someone who doesn’t have the authorization to know it. Protecting incoming and outgoing communications is one way to combat this. Be sure to protect the confidentiality of all information that gets shared through encrypted messaging.
14. System and Information Integrity
When a flaw is noticed in the system, it should be identified, reported, and corrected. The system should be regularly monitored as a means to protect against malicious code or actions. Any unauthorized use of networked devices should be monitored and reported.
Your 8 Step NIST 800-171 Compliance Checklist
NIST 800-171 fills the gaps in areas where there aren’t specific laws from the federal government that say how controlled unclassified information (CUI) should be handled.
Following the 8 steps below will help you establish security controls and security policies that will safeguard your sensitive information, and help you meet NIST SP 800-171 compliance requirements.
Step 1: Identify Your CUI
To start, you need to know what level of Controlled Unclassified Information (CUI) your company has. You’ll need to do a full audit of your systems from the employee’s device all the way to the final user. There are automatic tools that will do this for you.
This step is about gathering as much data as possible. What kind of CUI do you have, where is it used, and how many devices access it?
Step 2: Categorize Your CUI Data
Then, NIST 800-171 says that you need to categorize CUI. NIST outlines 20 approved categories which each has its own set of standards.
Step 3: Perform a Security Assessment
No matter how large your DoD contracting office is, you’ll need to build a strong security system. That starts with a security assessment. This will help you understand your current cybersecurity strength, find out your weaknesses, and understand the path forward.
Step 4: Develop Baseline Controls
Baseline controls will help you stay secure against external threats and provide you endpoint protection. These all go into your data protection strategy which prevents a cyber event.
Step 5: Perform Ongoing Risk Assessments
It’s important to regularly perform risk assessments. This will measure all the security measures you have in place and understand how you can protect your CUI from new threats.
Step 6: Document Your Security Plan
To comply with NIST 800-171, you need to have a written security plan. As you perform assessments, the plan will update, and each revision needs to be published with a date and revision number.
Step 7: Create a Response Plan
A response plan will outline how your business will react after a cyber event. In the unfortunate case that an event occurs, you will follow your response plan to ensure a timely and cost-effective return to operation.
Step 8: Educate Employees
After all of these steps are completed, you need to tell your employees. Having a staff that is well-versed when it comes to cybersecurity awareness will help to prevent an event in the future. When policies change, your employees should be informed.
NIST 800-171 Audit Preparation Checklist
Audits will routinely happen from time to time. If you’re not prepared, you can wind up scrambling and wasting a lot of manpower trying to gather the right information. To avoid this, follow our audit preparation checklist below.
Step 1: Determine Your Compliance Scope
Your compliance scope will depend on the sensitivity and form of data that you deal with. As a DoD contractor, there’s a wide range. Some contractors have to deal with top-secret technological data, which puts them in a more stringent compliance level.
The best way to determine your compliance scope is with the help of a cybersecurity expert who understands NIST 800 171 compliance.
Step 2: Gather Documents
A lot of supporting documentation is required during an audit. Either create a folder with all the documents needed or have a written form that maps out where the data is.
You’ll need to produce documents like data flows, system architecture, system boundaries, anticipated changes, network mapping, and personnel information.
Step 3: Perform a Gap Analysis
A gap analysis will highlight the distance between your current configuration and the ideal configuration. In your case, it will show your current information security standards and compare them to the NIST-specified requirements.
Step 4: Document Control Gaps
Document control is the process of updating documents, their data, and the revision levels. When a document is out-of-date, the superseding document should be referenced.
Failure to do this will show up as you produce this document control gap.
Step 5: Lay Out a System Security Plan (SSP)
Your system security plan is an outline of how you plan to be cyber secure. A lot of this plan would be generated after finishing the “NIST 800-171 Requirements Checklist” section earlier.
Step 6: Create a Plan of Action & Milestones (POA&M)
When you notice a gap or vulnerability, it should be added to your plan of action. The purpose of a plan of action is to show stakeholders and auditors how you will eventually be NIST 800-171 compliant, how you’ll achieve a more robust cybersecurity system, and what you need to do in order to avoid a future cyber event.
Step 7: Monitor, Maintain, Test, and Improve Controls
A control is anything designed to stop a future cyberattack. In this part of the checklist, you’ll want to start by building a list of your controls. This list should be updated as your system updates. Be sure to regularly test it and whenever a vulnerability is noticed, improve your controls.
Step 8: Put Together Your Audit Trail
Finally, you’ll want to collate all the information you put together from this checklist. This will act as your audit trail. When an auditor approaches you, you will use this single document as a means to show the work you’ve done in order to stay NIST 800-171 compliant and the state of your cybersecurity system.
Make NIST 800-171 Compliance much easier with cuick trac™
If you provide services to the DoD it’s important to understand and comply with NIST standards, and the emerging cybersecurity maturity model certification (CMMC 2.0). It will ensure you don’t miss out on federal contracts, and it will keep your business safer in the meantime.
Using these NIST 800-171 compliance checklists will help save you time and effort in the future, but if you’re like most small-businesses you may lack the time, money, and resources to build a fully compliance solution in-house.
That’s where cuick trac™ can help.
Our team of NIST cybersecurity experts spent over 4 years engineering cuick trac™, the most robust, done-for-you NIST 800-171 compliance product in the market.
We’ve partnered with the most trusted third-party security providers to build a pre-configured, virtual enclave that provides end-to-end encryption for CUI, a DFARS/NIST 800-171 compliant firewall, multi-factor authentication (MFA) and more features than any of its competitors.
Even better, it’s fully customizable and can be configured in as little as 14 days.
Join us on a quick 30-minute demo to see how cuick trac™ works, and learn if it’s a fit for your organization.
No pushy sales tactics, no email spam, no snake-oil. One of our product experts will walk you through the features you’re most interested in and answer any questions you have about NIST compliance.