Companies seeking to work with US governmental agencies need to adhere to strict standards for cybersecurity. This is especially true for contractors looking to work with the US Department of Defense (DoD). To secure specific contracts, and maintain preferred status, you’ll need to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. And to do so, there are several NIST 800 171 compliance tools at your disposal.
Making the Most of Your Nist 800-171 Compliance Tools
If your company is looking to contract with the DoD, that means you’re either already, or are looking to become, part of the Defense Industrial Base (DIB) sector. As a part of the key infrastructure that supports our military, and by extension, the safety of all Americans, it is imperative that you keep all sensitive information protected.
To that effect, complying with NIST 800-171 is a significant first step. In this guide, we’ll break down everything you know to make use of these tools, including:
- How to understand the framework itself
- What additional NIST resources to utilize
- Other compliance requirements to prepare for
- The benefit of comprehensive advisory services
By the end, you’ll be ready to keep your stakeholders—the entire US—safe. Let’s get started!
Understand the 800-171 Requirements
The central core of NIST 800-171, in Revision 2 as in earlier versions, comprises a set of 110 Requirements. These are distributed across 14 Requirement Families or cybersecurity areas, and there are two types of Requirements therein: Basic and Derived. All Requirement Families contain at least one Basic Requirement, and most also include several Derived Requirements Requirements.
Basic Requirements detail the most fundamental controls in a given family, whereas Derived Requirements, where they apply, govern more complex and challenging measures.
The breakdown of Requirements across Families is as follows:
- Access Control – 22 Requirements, 2 Basic, and 19 Derived
- Awareness and Training – 3 Requirement, 2 Basic, and 1 Derived
- Audit and Accountability – 9 Requirements, 2 Basic, and 7 Derived
- Configuration Management – 9 Requirements, 2 Basic, and 7 Derived
- Identification and Authentication – 11 Requirements, 2 Basic, and 9 Derived
- Incident Response – 3 Requirements, 2 Basic, and 1 Derived
- Maintenance – 6 Requirements, 2 Basic, and 4 Derived
- Media Protection – 9 Requirements, 3 Basic, and 6 Derived
- Personnel Security – Just 2 Basic Requirements, none Derived
- Physical Protection – 6 Requirements, 2 Basic, and 4 Derived
- Risk Assessment – 3 Requirements, 1 Basic, and 2 Derived
- Security Assessment – Just 4 Basic Requirements, none Derived
- System and Communications Protection – 16 Requirements, 2 Basic, and 14 Derived
- System and Information Integrity – 7 Requirements, 3 Basic, and 4 Derived
To comply fully with NIST 80-171, you’ll need to implement all 110 requirements wholesale. And while the volume and complexity of these controls can be challenging, your NIST compliance tools should facilitate your understanding of what implementation requires.
Request a Free Consultation
Take Advantage of NIST’s Supplements
The base text of NIST SP 800-171 isn’t the only document to worry about for compliance. Besides, NIST publishes two companion texts to aid in companies’ implementation of the Requirements and overall 800-171 framework. These texts likely inform your tools.
These supplementary NIST documents are:
- SP 800-171A – Titled “Assessing Security Requirements for Controlled Unclassified Information,” this document details specific measures that are used to gauge the implementation of all 110 Requirements and, thus, the company’s relative security.
- SP 800-171B – Renamed SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” this document details further measures beyond the 110 Requirements that update and extend their protections, specifically against a new class of “advanced persistent threats” (APT), sophisticated hackers or cybercriminals.
Any NIST 800 171 compliance tools you use should integrate the metrics established in 171A to help you measure implementation before and after official assessment. Furthermore, while the controls in 800-172 aren’t applicable yet, it’s crucial to get a head start on them.
Prepare for Further Compliance Needs
NIST 800-171 compliance tools should help you handle NIST and all other Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 requirements. Namely, you need to adhere to the Cybersecurity Maturity Model Certification (CMMC).
Published by the Office of the Under Secretary of Defense for Acquisition and Sustainment, also known as OUSD(A&S), The CMMC comprises all of NIST 800-171, in addition to 800-172 and other frameworks, in a tiered system. Its core resembles that of NIST 800-171, with all 14 of its Families corresponding to CMMC Domains, along with three additional areas:
- Asset Management (AM), which governs the overall approach to inventory management
- Recovery (RE) which involves an immediate response to and retrieval of lost assets
- Situational Awareness (SA), which has to do with the company’s security context
Between these and the 14 Domains informed by the Requirement Families, 43 cybersecurity Capabilities are required for full implementation. These Capabilities comprise 171 Practices, distributed across all Domains. Unlike with NIST 800-171, however, these do not need to be implemented all at once; instead, they roll out over five Maturity Levels.
The Levels of the CMMC break down as follows:
- Maturity Level 1 – Introducing 17 Practices just to perform
- Maturity Level 2 – Adding 55 Practices to document carefully
- Maturity Level 3 – Adding 58 Practices to manage systematically
- Maturity Level 4 – Adding 26 Practices, requiring analytical review
- Maturity Level 5 – Finishing off with 15 Practices, continually optimizing
To contend with all the required controls, your NIST tools should assist in mapping safeguards from one framework onto another to minimize redundancies, maximizing efficiency.
Get the Most Out of Comprehensive Services
Finally, your NIST 800 171 tools should facilitate your implementation thereof and mapping onto other controls in a simplified, streamlined manner. The best services for compliance with all the requisite cybersecurity standards bundle all the support and infrastructural work you need into one holistic package. Ideally, it should be both robust and flexible, and affordable to boot.
RSI Security’s suite of NIST 800-171 advisory services is just such an all-in-one deal.
Beginning with our simplified NIST 800-171 data sheet, our platform prioritizes ease of access to robust protection without compromising on quality. We will meet with you and conduct a patch analysis to determine what controls are lacking, then work with your IT team and other company stakeholders to build out all mechanisms you need for full NIST compliance.
Plus, we are happy to work with you on other DoD cybersecurity needs, as well. We offer additional CMMC-specific support and, ultimately, compliance. As a Certified 3rd Party Assessor Organization (C3PAO), we can help you prepare for certification and certify you.
Professional Compliance and Cyberdefense
Here at RSI Security, we’re happy to help with any compliance requirements facing your company. That includes all duties concerning working with the DoD, like CMMC certification, as well as any other obligations you’re accountable to, like PCI-DSS, HIPAA, SOC 2—you name it!
Plus, we know that compliance is far from the end of cyberdefense: it’s just the beginning.
That’s why we’ve offered a whole host of cybersecurity services to companies of all kinds and sizes for over a decade. Our team of experts is qualified to assist you with everything from niche cloud security services or cybersecurity technical writing, up through company-wide programs, like managed detection and response (MDR), threat management, and overall managed IT.
RSI Security is your first and best option. For flexible yet robust NIST 800 171 compliance tools you can trust, or help with any other cyberdefense concerns, contact RSI Security today.
