NIST 800-171 provides a framework for the protection of controlled, unclassified information (CUI). The framework is intended to provide guidance for nonfederal entities working with and accessing the data of federal entities. However, NIST 800-171 serves as a best practice for controls for privacy and security for many types of unclassified data.
CUI includes such information as Personally Identifiable Information (PII) and Protected Health Information (PHI), as well as items specifically identified by federal oversight authorities. Everything from financial information to agricultural operations to student records is considered CUI.
The requirements of NIST 800-171 can be daunting. There are 109 components in 14 areas to be addressed, including:
|3.1 Access control||3.2 Awareness and training|
|3.3 Audit and accountability||3.4 Configuration management|
|3.5 Identification and authentication||3.6 Incident response|
|3.7 Maintenance||3.8 Media protection|
|3.9 Personnel security||3.10 Physical protection|
|3.11 Risk assessment||3.12 Security assessment|
|3.13 Systems and communications protection||3.14 Systems and information identity|
In our experience, the best approach to comply with the framework uses the following process:
1. Identify CUI and relevant systems – Information technology (IT) environments have grown increasingly complex. Many organizations who are required to comply with NIST 800-171 aren’t even sure where the CUI resides. The first step of HORNE Cyber’s compliance process is to perform a data inventory by analyzing the data maintained in each system. The data fields in each software system should be reviewed for potential CUI. Additionally, the flow of information through each system must be considered as each system which houses or processes CUI is in scope for the overall process.
2. Perform readiness assessment – Once the population of relevant systems and CUI is determined, a readiness assessment should be performed. A readiness assessment is a pre-audit where the controls for each relevant system are compared to the 109 individual requirements of NIST 800-171. Areas in which controls do not satisfy an objective are identified as gaps. One item to note is that the framework requires written policies and procedures. Organizations may have informal processes that address the underlying control objective but will still be considered deficient if the process is not formally documented.
3. Develop remediation road map – The gaps identified in the readiness assessment should be evaluated by impact and cost to remediate. This evaluation drives the organization’s remediation plan.
4. Perform remediation – The longest phase in adopting NIST 800-171 is the remediation phase. An organization may be required to make substantial changes to IT infrastructures and policies as well as business processes. Depending on the complexity and cost of remediation, it could take months to a year or more to fully comply with the standard. For organizations with longer term remediation plans, management should consider what compensating controls are in place at the organization as a way to address shorter term concerns.
5. Audit controls – At the completion of the remediation process, the organization should perform an audit of the NIST 800-171 controls. This audit will confirm both newly implemented and formerly existing controls are operating as intended.
6. Monitor – Ongoing monitoring is key in ensuring no surprises. Organizations change every day and these changes impact the underlying internal controls. The NIST 800-171 requirements should be monitored at least annually, with quarterly being a best practice, to ensure that organizations remain in compliance.
Federal oversight authorities are beginning to include NIST 800-171 in contract and grant awards. Failure to comply with the framework could result in losing significant federal funds. Many organizations that rely on these grants do not have the capacity or expertise to implement NIST 800-171 while maintaining day-to-day activities. Using a co-sourcing approach with an outside consultant, like HORNE Cyber, can alleviate internal resource constraints and allow an organization to focus on its core mission.