How to stay compliant with NIST SP 800-171

If you’re part of the US federal government supply chain, at some point you’ll have heard of NIST.

The National Institute of Standards and Technology (NIST) sets out data security mandates for government departments and agencies. In 2017 it implemented a sweeping set of new data protection rules called NIST SP 800-171.

CUI

The directive addresses Controlled Unclassified Information or CUI, and the cybersecurity measures needed to keep it from falling into the wrong hands.

CUI is defined by NIST as ‘information that requires safeguarding or dissemination controls.’ So means data which is sensitive, but not classified.

It’s a blanket term that unifies the many acronyms government departments and agencies have for such information. It’s ‘SBU’ (Sensitive but Unclassified) in State Department speak. LES (Law Enforcement Sensitive) in the language of the Department of Justice, and so on.

Federal contractors need the data in order to fulfill their daily responsibilities on government projects, and may host it on non-government IT systems.

While many Federal contractors selling products and services into the federal government were already expected to protect CUI under a previous NIST directive, NIST SP 800-171 applies to the suppliers’ suppliers – the companies that provide main contractors with parts and equipment.

Applying NIST’s rules further down the supply chain exposed many smaller sub-contractors to the challenges of cybersecurity and data compliance for the first time.

Easy to classify, hard to find

In the wrong hands, CUI carries substantial security risk. It could include, for example, the information a drone manufacturer might hold on behalf of the Department of Defense, or the travel itineraries of senior Beltway bureaucrats.

Departments and agencies covered include NASA, The General Services Administration, and a host of federal and state agencies. The list of contractors and sub-contractors serving these massive, multi-billion dollar government bodies is lengthy — to say the least.

NIST SP 800-171 challenges them all to establish a cybersecurity framework that ensures they can maintain complete control over CUI data. They have to know exactly who has access to the information, and what they use it for.

Data security controls include:

• Access Control
• Configuration Management
• Awareness and Training
• Incident Response
• Auditing and Accountability
• Identification and Authentication
• Risk Assessment
• Media Protection
• System and Information Integrity

That long list makes compliance with NIST SP 800-171 challenging. The directive has been in place since the beginning of 2018, yet many government sub-contractors struggle to stay within the rules.

It’s not for lack of trying. The issue is knowing exactly where the CUI on their systems sits at any given time. As a broadly defined category of data, CUI is common and in widespread use. There’s a lot of it.

And skirting compliance is risky in the extreme. Contractors and sub-contractors who don’t follow the rules and regulations could fall afoul of the False Claims Acts, and risk losing their federal contracts.

What makes compliance with NIST SP 800-171 so difficult?

If you consider all the different types of business data companies hold on their systems, applying stringent security controls to one broadly-defined category isn’t something that can easily be turned on.

Data is often held in a variety of locations, systems, and formats that make mapping all the CUI in a federal contractor’s systems difficult.

Adding to the complexity is the fragmented data landscape most organisation’s find themselves in.

What if there are paper documents with CUI that haven’t yet been digitised? What if the CUI exists in one section of a video or recording?

Capturing unstructured CUI data is a significant challenge – but perhaps the biggest is simply knowing where all the CUI a federal supplier has in its systems is located.

And even if you could map your CUI accurately, how would you prove it, and ensure a timely response to any queries from regulators or auditors?

 A complex undertaking

Implementing the cybersecurity framework demanded by NIST SP 800-171 is a complex undertaking that needs to happen at a granular level. It begins with understanding exactly where your all your CUI sits.

Examples of CUI include electronic file formats like email, documents, and spreadsheets. It also covers drawings, sales orders and contracts, blueprints, or hard copies such as printouts.

Consider this scenario: in the course of fulfilling a federal contract, you receive email with attached files from the agency that’s contracted you.

• That information (which is CUI) now resides on your company’s email system, and potentially on that workstation’s hard drive. As CUI it must be protected.
• If you develop proprietary information for the DoD or one of its primary suppliers, that information must be protected.
• If you receive printouts through the mail or by courier from the department, that information must be protected.

To comply with the NIST 800-171 mandate, companies must conduct a detailed audit of critical systems that hold or transmit CUI. That covers servers and storage devices, workstations and laptops, and network appliances like routers and switches – even printers.

Physical security may also need to be examined.

Compliance becomes very complex, very quickly.

GTB Has the answer 

At GTB we know that Data Protection under any regulatory regime is a significant challenge.  Data Classification is the key first step – having the ability to accurately identify and discover what CUI you have on company systems, where it sits, who has access to it, and what security protections apply to it.

GTB Data Discovery with Classification locates and classifies CUI data, and helps remediate any vulnerabilities.

Staying compliant is made even more complex by the consumerization of data and BYOD policies. GTB’s patented and proprietary technology provides organizations with the overall control and visibility needed to protect data and enforce compliance.