Explaining NIST SP 800-171
The scope and scale of supply chain cyberattacks have continued to evolve over the years as Advanced Persistent Threat (APT) actors have become more and more dangerous and sophisticated with their attack methods. This is clearly demonstrated by the massive SolarWinds cyberattack, where Russian hackers compromised a commercial software application made by SolarWinds, allowing them access to thousands of networks, including at least nine US Federal Agencies.
With the likelihood of being hit by a cyberattack increasing day by day, the US Federal government has enacted laws and regulations to protect the federal cyber-infrastructure from such attacks. While being compliant with these laws and regulations is indeed necessary, it has also introduced new problems for organizations as they are often uncertain about what compliance measures they need to accomplish.
As a requirement of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), organizations that are part of the federal supply chain; and process, store and transmit controlled unclassified information (CUI) to fulfill their obligations tied to the government contract they are part of, are required to implement the recommended security requirements contained in NIST SP 800-171.
Before diving into what NIST SP 800-171 compliance is, let us first discuss what constitutes CUI.
Controlled Unclassified Information (CUI)
In 2010, the US federal government established the CUI program through Executive Order 13556 for managing all unclassified information in the Executive branch. In layman’s terms, CUI is any government information that is not classified but still needs to be protected. The CUI Program established an online repository called the CUI Registry to provide guidance on common definitions, policies, and requirements for handling CUI. As fewer controls are applicable to CUI as compared to classified information, CUI could be targeted by attackers as a path of least resistance. Thus, safeguarding CUI is extremely important for protecting national security.
What is NIST SP 800-171?
The National Institute of Standards and Technology (NIST) created the “NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” in 2015 (currently at revision 2, published in 2021) to provide recommended requirements for safeguarding the confidentiality of controlled unclassified information (CUI) that reside in non-federal systems. Any organization that handles CUI as a government contractor is obligated to implement the recommended requirements stipulated in NIST SP 800-171 to ensure that their systems are reasonably secure and the CUI that resides in their system is protected.
NIST SP 800-171 compromises 110 controls across 14 control families for the protection of CUI. Organizations willing to get compliant with the requirements recommended by NIST SP 800-171 need to provide evidence of compliance through extensive documentation such as the System Security Plan (SSP) and Plan of Action & Milestones (POA&M)
Being involved with the federal supply chain connected to government contracts is extremely lucrative for many organizations. But successfully getting those contracts and maintaining them requires compliance with the NIST SP 800-171, which may necessitate a deep dive into the organization’s systems and procedures to ensure that the recommended security requirements are appropriately implemented and tested. Given the considerable scale and effort involved with the process, one crucial step organizations may take is to start working with a cybersecurity consultant firm like Idenhaus that knows the NIST SP 800-171 requirements inside and out, as failure to comply could have dire consequences.