The NIST 800-171 standard provides government guidelines regarding the storage, security, and distribution of sensitive data, making it key to your compliance journey.
Because of the complexity of 800-171 requirements, using a checklist ensures that your company is in compliance and eligible to be awarded government contracts.
The process of becoming compliant can be confusing and difficult to tackle without guidance from an expert so we've prepared a checklist to help with that.
Step 1 of NIST 800-171 Checklist: Identifying Relevant Data
First, you need to identify any data that meets the definition of CUI (Controlled Unclassified Information).
This is government-controlled and owned, non-military information that includes financial information, court records, patents, and personally identifying information (PII).
It is best to assume that this data could be found in any of your company’s systems or databases including email, employee devices, and third-party contractors.
Step 2 of NIST 800-171 Checklist: Categorizing Your Data
The NIST 800-171 has instructions on how various types of data should be handled. Once you have identified their location, the data should be categorized based on type.
The standards for NIST 800-171 will guide which specific compliance activities apply to each type. Find the latest list of CUI categories on the National Archives website.
Step 3 of NIST 800-171 Checklist: Establishing Baseline Controls
Baseline controls are a set of guidelines and standards that your organization will follow to protect the data within your organization.
These controls should align with the security requirement families that are outlined in the NIST 800-171 standard.
The level of detail for each security requirement family will depend on the specific security needs of your company and the type of information that your systems store.
» List of NIST 800-171 Security Requirement Families
Take a moment to review and become familiar with each of the 14 security requirement families. The list below includes the 14 families and a brief description.
Forgetting to address any one of these areas in your baseline controls could leave your company open to security risk or NIST 800-171 non-compliance.
- Access Control - Addresses how your organization plans to control access to company systems such as routers, computers, servers, firewalls, and networks.
- Audit and Accountability - Process for collecting and reviewing information regarding system and process audits.
- Awareness and Training - Outlines your organization’s training program on security and data protection protocols.
- Configuration Management - Documentation of corporate network configurations and cybersecurity protocols and plan for ongoing management.
- Identification and Authentication - Guidelines for who is approved to access CUI data and how those individuals’ identities will be confirmed.
- Incident Response - Your incident response plan will outline what your organization will do in the event of a data security breach or cyberattack.
- Maintenance - You need to have a plan for conducting maintenance on systems that contain CUI data including frequency, process, and authorized personnel.
- Media Protection - Guidelines for how to protect and maintain storage devices such as servers, memory cards, and hard drives. This should also include protocols for how old devices will be decommissioned or destroyed.
- Personnel Security - Defines how your organization will screen, monitor, and terminate employees in a manner that will protect systems and CUI data.
- Physical Protection - This section defines how your physical buildings and rooms containing critical systems and CUI data will be secure.
- Risk Assessment - Includes risk assessments and management policies on how systems are categorized according to NIST 800-171 risk levels, how often reports are generated and who receives them, and how vulnerabilities are addressed.
- Security Assessment - Outlines plan to periodically assess your data security plan and make updates.
- System and Communications Protection - This section describes how communication containing sensitive data will be monitored, shared, and stored.
- System and Information Integrity - Requirement that outlines how quickly you can detect and repair system flaws that open your organization up to cyber-attacks.
In addition to establishing baseline controls, you will need to create a written plan that addresses each of these areas (see Step 6 of this checklist).
Step 4 of NIST 800-171 Checklist: Testing Your Baseline Controls
Once your baseline controls are established and implemented, you should perform a comprehensive compliance evaluation based on the 320 assessment objectives outlined in the NIST SP 800-171A publication.
The output of the evaluation will provide you with an overview of any overlooked vulnerabilities. You can also hire an outside firm to help evaluate your systems to ensure all controls are met. and working as intended.
Additionally, by making a note of any gaps or security concerns your organization will have valuable feedback to further update your baseline controls.
Step 5 of NIST 800-171 Checklist: Ongoing Risk Assessment
You must implement an ongoing risk assessment process and schedule. For example, one-time testing is a great way to ensure that your baseline controls work.
However, new risks will emerge that you didn’t originally plan for.
The NIST 800-171 standard dictates that regular, ongoing monitoring and testing should be a part of your security plan. The more frequently you conduct testing of your security systems, the better your organization will be able to maintain NIST 800-171 compliance.
All risks and non-compliance information should be documented in a centralized log for future reference. The centralized log is formally known as a System Security Plan (SSP).
Step 6 of NIST 800-171 Checklist: Writing a Systems Security Plan Based on Controls
The NIST 800-171 standard dictates that you must create a system security plan that addresses each of the security requirement families.
This plan will describe how your organization plans to meet the NIST 800-171 requirements and handle any known threats.
This system security plan can be requested from government agencies at any time, so it is critical that you have all documentation ready and available.
NIST Special Publication 800-18 provides guidelines and recommendations for creating your systems security plan. This document also provides a template in the appendix.
Step 7 of NIST 800-171 Checklist: The Rollout Plan
The documented security plan should be distributed to all employees, contractors, or individuals who have access to systems that contain CUI data.
Conducting detailed training sessions with the team will help ensure that they understand the plan and know how to implement it. The NIST 800-171 standard recommends training be tailored depending on job type or role.
For example, managers and systems administrators should receive training on high-level protocols. Other employees should receive training on the aspects that apply only to their job. Every employee should receive training on how to identify and report risks.
In addition to the initial rollout, you should create a plan for a refresher training schedule once a year. The Human Resources department should also be consulted on how to incorporate the training into all new hires onboarding.
Step 8 of NIST 800-171 Checklist: Monitoring & Analyzing Data
To help keep your organization in compliance, you should regularly perform compliance reviews against the NIST SP 800-171A publication for important information regarding the current risk to the company’s data systems.
Any concerning trends should be identified and acted upon immediately.
Step 9 of NIST 800-171 Checklist: Security Plan Review & Updates
Over time, your organization may update or change systems, gain access to new types of government data, or make organizational changes.
You may need to review your plan to confirm no updates are needed to account for these changes. Updates should be made to the security plan and communicated quickly.
By creating a centralized location to store the documentation, you can reduce the risk of individuals referencing old versions of the plan opening your company up to risk.
Once you have completed the NIST 800-171 checklist and your firm is in compliance, you will want to work toward getting CMMC certified...
Compliance Doesn’t Always End with NIST 800-171
Once you have gone through the NIST 800-171 checklist, your organization may need to prepare for the Cybersecurity Maturity Model Certification (CMMC).
Due to past failures of contractors to conform through self-assessment, the Department of Defense now requires all contractors to be certified before being awarded contracts.
It is important to note that CMMC compliance does not equal NIST 800-171 compliance as there are currently 63 additional controls not evaluated under the CMMC.
The certification can take several months to achieve and often requires a third party to validate your compliance. If you have any upcoming work that you are bidding on with the federal government, it’s critical that you start this process right away.