NIST Special Publication 800-171 purpose is to provide federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations.
NIST 800-171 is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost effective programs to protect their information and information systems. The current revision Rev.1 is released in December 2016.
The security requirements are typically structured as follows:
Basic Security Requirements
- Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- Establish and enforce security configuration settings for information technology products employed in organizational systems.
Derived Security Requirements
- Track, review, approve or disapprove, and audit changes to systems.
- Analyze the security impact of changes prior to implementation.
- Define, document, approve, and enforce physical and logical access restrictions associated with changes to systems.
- Employ the principle of least functionality by configuring systems to provide only essential capabilities.
- Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
- Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
- Control and monitor user-installed software.
Below seven steps a contractor or subcontractor can take to strike that balance and achieve NIST 800-171 compliance with respect to information exchange governance:
- Locate: Identify the systems in your network that hold CUI.
- Limit: Implement access controls so only authorized employees can view, download and share files containing CUI.
- Encrypt: Encrypt all data, whether in transit or at rest.
- Monitor: Know who is accessing CUI and how they’re using it.
- Train: Educate employees on the fundamentals of information exchange governance and best practices, and do so at regular intervals, not just during the onboarding process.
- Assess: Conduct a security assessment that examines all systems, environments and information exchange procedures to assess risk.