Any business owner who wants to work with the Department of Defense (DOD) has to ensure their organization is secured against cybercrime. While even large firms can have trouble keeping up with safety rules and regulations, it’s uniquely burdensome for smaller companies with modest IT budgets. That’s why we’ve put together this dedicated NIST CSF and NIST 800 171 implementation guide targeted specifically at small to medium businesses.
NIST Implementation for Small-Medium Sized Businesses
The US government requires all contractors it works with, no matter how big or small, to adhere to certain safety precautions. This is especially true of a governmental agency as large and important as the DOD, which commands a budget of $716 billion dollars annually, employs over 2.87 million Americans, and spans over 4,800 sites across 160 countries.
So, what does it take to meet these NIST safety requirements? For starters, you need to know how to:
- Implement the overall NIST Cybersecurity Framework
- Understand the granular details of NIST SP 800 171 implementation
With this information, you’ll know everything you need to be fully NIST compliant and ready to serve the DOD.
What is NIST Implementation, and Who Does It Apply To?
The National Institute of Standards and Technology (NIST) is a subdivision of the Department of Commerce. It’s responsible for developing standards for all sorts of products and services, including digital infrastructure.
The NIST has created numerous technological safeguards and security protocols that govern the way cybersecurity works across various industries. Implementation of NIST standards depends heavily on the nature of your business and industry.
For example, the NIST’s Cybersecurity Framework (CSF) is not strictly required for any organization on a national level, just strongly recommended. But companies comprising the critical infrastructure of the country may be required to implement the CSF by industry standards.
On the other hand, the controls detailed in the special publication “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” also known as SP 800-171, are required for all DOD contractors. Implementation is therefore mandatory.
Implementing the CSF facilitates following any and all other NIST controls, as most special publications (including SP 800-171) have indexes mapping their specific niches onto the CSF.
Implementing the Broader NIST Cybersecurity Framework
In 2018, the most recent edition of the CSF, version 1.1, was published. It details a robust yet flexible cybersecurity scheme that can be mapped onto an institution’s existing practices or used as a roadmap to plan out its future infrastructure. The NIST positions the CSF as a complement to existing cybersecurity operations you likely already have in place prior to implementation.
All in all, the CSF is not meant to be a strict, prescriptive document detailing exactly what your company must do and how; instead, it’s more of a set of suggested guidelines.
There are three main components to the NIST CSF:
- The framework core
- Implementation tiers
- Institutional profiles
NIST CSF Framework Core and Functions Breakdown
The core comprises 5 main functions. Each function breaks down into a number of outcome categories (totaling 23), which cover all the major cybersecurity needs of an organization. These are also divided into subcategories (totaling 108), specifying particular controls and standards.
Here’s a top-level synopsis of how the scheme works:
- Identify – Developing a deep, company-wide understanding and actionable insights into what an organization’s main assets and resources are, as well as what mechanisms are in place to protect them. It breaks down into 6 categories:
- Asset management practices (ID.AM)
- Overall business environment (ID.BE)
- Institutional governance (ID.GV)
- Risk assessment strategy (ID.RA)
- Risk management (general) (ID.RM)
- Risk management (supply chain) (ID.SC)
- Protect – Safeguarding and ensuring the ongoing integrity of any and all protected assets and resources through critical security infrastructure that limits the scope of cyberthreats. This function breaks down into 6 categories:
- ID and access management (PR.AC)
- Training and awareness (PR.AT)
- Overall data security (PR.DS)
- Information protection (PR.IP)
- Maintenance practices (PR.MA)
- Protective technologies (PR.PT)
- Detect – Monitoring for and identifying cybersecurity events, such as vulnerabilities opening or actual privacy breaches occurring, to enable a timely and effective response. There are just 3 categories:
- Anomalous events (DE.AE)
- Continuous monitoring (DE.CM)
- Detection procedures (DE.DP)
- Respond – Immediately responding to events as they occur, limiting the scope of exposure and mitigating, containing, or ending the threat as soon as possible. This breaks down into 5 categories:
- Response management (RS.RP)
- Communication strategy (RS.CO)
- Analytical tools (RS.AN)
- Mitigation of risks (RS.MI)
- Security improvements (RS.IM)
- Recover – Instilling resilience and regaining functionality (and compromised resources) during and after a cybersecurity event. This function comprises just 3 categories:
- Planning recuperation (RC.RP)
- Improvement measures (RC.IM)
- Communication strategy (RC.CO)
Importantly, again, the CSF is not a purely prescriptive document. It does not detail which particular programs or practices are needed to achieve any sub-categories stated aims. Also, the CSF is optional, so organizations are generally free to implement it however they see fit.
NIST CSF Implementation Tiers and Institutional Profiles
The CSF does include standards to measure an institution’s need for, and successful implementation of, the functions and controls that are detailed in the CSF. These measures are the main functionality of the implementation tiers and institutional profiles detailed by NIST.
Here’s an overview of how these components work:
- Implementation tiers – A method of measuring how rigorous an institution’s implementation of the CSF is. There are 4 tiers, from lowest to highest, but these don’t necessarily correspond to maturity; an organization may shoot for tier 2 as an end-goal.
- Institutional profiles – A flexible way to document current and target status relative to outcome categories across all 5 functions. Organizations can organize priorities by budget, risk, or other metrics to map out implementation over the short- or long-term.
These features are just as flexible as all other elements of the CSF, and companies may use them in widely different ways. For example, NIST’s guide to the utility of the CSF breaks down the specific (and different) ways in which University of Chicago and Intel implemented the CSF.
Understanding NIST SP 800-171 CDI and CUI Protections
Unlike the CSF, implementation of SP 800-171 applies broadly to nearly all firms seeking contracts with the DOD. It’s not a set of suggestions; it’s a set of rules that must be followed.
Technically, the NIST SP 800-171 requirements apply to any and all DOD contractors that collect, store, or transmit two kinds of information:
- Covered Defense Information (CDI) – Information specific to Defense that has been specially marked, such as covered technical information (CTI), operations security data, and export-restricted intelligence, including but not limited to:
- Use and maintenance manuals for military equipment
- Drawings and information sheets for space equipment
- Controlled Unclassified Information (CUI) – Documents that are not sealed but still protected, formerly known as “For Official Use Only,” (FOUO) “Law Enforcement Sensitive,” (LES) or “Sensitive but Unclassified” (SBU). Examples include:
- Technical reports, orders, and data sheets
- Computer and software codes (executable)
Nearly all companies that contract with the DOD will come into contact with CDI and/or CUI, so the rules apply unilaterally, de facto. The rules apply to “prime” contractors, as well as any and all subcontractors under them. The SP 800-171 exists, in effect, to establish these categories of sensitive data as protected and ensure uniform safeguards for them industry-wide.
NIST SP 800-171 Protection Requirements
The first and most important element of implementation is comprehensively understanding the practices and technologies required. To that effect, there are 14 “families” or categories of requirements detailed in chapter 3 of SP 800-171. Each breaks down into a number of Basic and Derived Security Requirements, detailing specific target actions or outcomes.
Here is a synopsis of each requirement’s purpose:
- Access control – Monitoring and limiting the ability of individuals to access physical and digital resources, comprising 22 Security Requirements (2 Basic, 20 Derived).
- Awareness / training – Detailing minimum knowledge and awareness thresholds for all staff, as well as how to achieve them; there are 3 Requirements (2 Basic, 1 Derived).
- Auditing, accountability – Ensuring organizations remain accountable to stakeholders through regular audits and assessments; there are 9 Requirements (2 Basic, 7 Derived).
- Configuration management – Defining settings requirements and protocols for documentation and implementation, comprising 9 Requirements (2 Basic, 7 Derived).
- Identification / authentication – Specifying how ID systems should work to grant access to valuable cyber resources; there are 11 Requirements (2 Basic, 9 Derived).
- Incident response management – Planning out a strategic, systematic approach to incident identification and response, comprising 3 Requirements (2 Basic, 1 Derived).
- Overall system maintenance – Establishing what maintenance must occur, how often, and in what particular ways, across 6 Requirements (2 Basic, 4 Derived).
- Protection of media – Ensuring physical, digital, and other protective standards for all media across hardware and software; there are 9 Requirements (3 Basic, 6 Derived).
- Personnel security – Protecting assets and systems from threats posed by personnel, via screening and control irrespective of user; there are just 2 Basic Requirements.
- Physical protections – Safeguarding assets by limiting physical and proximal access to hardware and monitoring perimeter, including 6 Requirements (2 Basic, 4 Derived).
- Risk assessment – Regularly scanning for, identifying, and acting upon risks that can compromise resource security; there are 3 Requirements (1 Basic, 2 Derived).
- Security assessment – Periodically testing (and correcting) security measures across all physical and digital systems, including just 4 Basic Requirements.
- System / communications protection – Specifying system controls for internal and external communication, comprising 16 Requirements (2 Basic, 14 Derived).
- System / communications integrity – Finally, setting out protocols for reporting on and correcting systemic flaws; there are 7 Requirements (3 Basic, 4 Derived).
Each family’s requirements is accompanied by a Discussion section that provides informative guidance (but not normative requirements) about why it is important and examples for how it might be implemented. Importantly, the actual means by which companies implement a requirement is inconsequential, unless otherwise noted in the language of the requirement.
NIST SP 800 171 Implementation for Small Businesses
Implementing all these controls can be difficult, even for larger businesses with robust IT budgets. And NIST SP 800-171 implementation for the small-medium business can often feel nearly impossible. But luckily, third-party companies, like RSI Security, can help bear the burden for you.
Our dedicated SP 800-171 advisory services simplify the process of compliance by walking through all stages of planning, implementation, and maintenance of your cybersecurity.
Our suite consists of services like:
- Initial consultation, assessment, and gap analysis
- Deep, system-wide infrastructure implementation
- Regular threat and vulnerability assessments
- Deep analytical tools, like penetration testing
Download our free SP 800-171 Data Sheet to learn more! RSI Security is happy to keep your company safe — and, by extension, contribute to the safety of all Americans domestically and abroad.
Plus, we know that compliance with these (and any) cybersecurity requirements isn’t the end of cybersecurity; it’s just the beginning. We’re here to help with anything your business needs.
Professional Cybersecurity, Beyond NIST Requirements
Whether you’re a current or potential DOD contractor who needs to implement NIST SP 800-171, or any company looking to implement the broader NIST CSF, we’ve got you covered. RSI Security is your first and best option for all cybersecurity solutions; our experts have over a decade of experience helping companies of all sizes stay compliant and safe.
We know compliance isn’t the end of cybersecurity, but just the start. We’ll help your company build its cybersecurity architecture from the ground up and adjust on the fly to any challenges that appear. Detailed tutorials like this NIST 800 171 implementation guide are far from the only value we offer. Contact RSI Security today to see how powerful your cyberdefense can be!