How to Achieve NIST 800-171 Compliance

Written by Sajid Shafique

For many organizations that process or store Controlled Unclassified Information, or CUI, for Government agencies, compliance with NIST 800-171 is often a contractual obligation. Previously we have discussed what is meant by CUI and explained what NIST 800-171 compliance is. In today’s article, we will be diving into the details of how to achieve compliance with the requirements stipulated by NIST 800-171.

Compliance with NIST 800-171

At present, compliance with NIST 800-171 is achieved through a self-assessment process as there is no official certification available. Organizations can go through the self-assessment process alone or seek help from a third-party assessment company as the process of achieving and assessing compliance is time-consuming and complex.

The first step in achieving compliance with NIST 800-171 is to locate and identify the systems in the organization’s network that are storing and processing CUI. CUI can be stored and/or processed in a number of places. This may include local or cloud storage solutions; endpoint devices such as employee workstations or mobile devices; and portable media.

Once CUI is located and identified, the next step is to implement the security controls required by NIST 800-171 for safeguarding the CUI. NIST 800-171 requires 110 administrative and technical security controls, which are organized into the following 14 control families.   

1. Access Control 
2. Awareness and Training 
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity
    

Evidence for NIST 800-171 Compliance

In order to provide evidence of compliance with the NIST 800-171 security requirements, organizations will need to develop two essential documentation: The System Security Plan (SSP) and the Plan of Action & Milestones (POA&M).

System Security Plan (SSP): 

As per NIST, System Security Plan (SSP) is defined as a “formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.” 

The SSP serves as the primary evidence to prove compliance with the security requirements set forth by NIST 800-171. The SSP provides a detailed description of an organization’s CUI environment, which includes: 

• Detailed description of the organization’s system, including all hardware and software in the organization’s network.
• The purpose and the type of CUI handled by the organization and the processes of how they are used.
• The security controls that are implemented to safeguard the CUI.

Plan of Action & Milestones (POA&M): 

According to NIST, a POA&M is “a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”

The POA&M document outlines how and when an organization will take remedial actions to address gaps and deficiencies in security controls required by NIST 800-171. 

Compliance, In Conclusion

Achieving compliance with NIST 800-171 security requirements can often be a complex and time-consuming process. It takes implementing the required security controls and providing evidence of compliance with extensive documentation. If your organization is looking to gain NIST 800-171 compliance, the best place to start is with an overview of the requirements. Given the considerable scale and effort involved, a trusted third party like Idenhaus can help to streamline the process and ensure compliance. Contact us today for more information on how Idenhaus can help your organization.