If you do business or plan to do business with certain government agencies such as NASA, the GSA (General Services Administration), or the DoD (Department of Defense), the National Institute of Standards and Technology (NIST) has created a list of standards that define how to protect and distribute material regarded as sensitive but not classified.
NIST SP 800-171 refers to their Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. The CUI requirements are intended for use by federal agencies who contract with non-federal organizations for work. It covers how government contractors are to safeguard, process, store, and use certain kinds of federal information in nonfederal information systems.
NIST SP 800-171 Compliance Requirements
- Access Control – Covers limiting system access and types of transactions to authorized users and their assigned permission levels.
- Awareness and Training- Requires all managers, system administrators, and users are made aware of security risks and properly trained to avoid them.
- Audit and Accountability – Requires systems to keep audit logs of all activities so actions can be traced, and users can be held accountable for their actions in the system.
- Configuration Management – Limits an organization’s systems to only provide the essential functionality for the tasks they need to do.
- Identification and Authentication – Covers the authentication of the identities of users, processes, or devices before allowing access to organizational systems.
- Incident Response – Deals with how to track, document, and report incidents to the appropriate authorities internally and externally to the organization.
- Maintenance – Requires you to make sure any equipment taken off-site for repairs has been scrubbed of all CUI.
- Media Protection – Covers the protection of digital and paper media as it relates to storage, backup, and disposal.
- Personnel Security – Requires you to properly screen all employees before giving them access to sensitive information.
- Physical Protection – Limits access to your work environment and systems to authorized individuals only.
- Risk Assessment – Covers periodically checking your system and users for any vulnerabilities.
- System and Communications Protection – Deals with preventing unauthorized transfers of data via shared system resources.
- System and Information Integrity – Requires you to monitor your system for attacks and report and fix flaws in a timely manner.
How Can You Make Sure You’re Compliant?
As you can see, the NIST SP 800-171 compliance requirements are quite detailed. A breach caused by a failure to comply is not only a threat to national security but can carry severe legal penalties and financial losses as well. If you’re unsure of how to bring your system into compliance, partner with an industry expert.
Contact NIC for a consultation today.