For companies looking to contract with the United States Department of Defense (DoD), it’s imperative to make sure your cyberdefenses are up to par. A big part of that is implementing the controls from Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (SP 800-171), published by the National Institute of Standards and Technology (NIST). And understanding the NIST 800 171 controls is the first step toward compliance.
NIST 800-171 Security Baseline
When you work with or for the DoD, your company’s own cybersecurity becomes a matter of national security. The DoD needs to make sure that its supply chain, the industries that make up the Defense Industrial Base sector (DIB), does not compromise Americans’ safety.
In particular, the NIST SP 800-171 exists to safeguard special classes of information:
- Controlled Unclassified Information (CUI) – Unsealed documents that are protected, nonetheless, by various laws and other statutes. Also known as “For Official Use Only,” (FOUO), “Sensitive but Unclassified” (SBU), or “Law Enforcement Sensitive,” (LES).
- Covered Defense Information (CDI) – Defense-specific information that’s protected for reasons directly related to national security, like operations security (OPSEC) data, export-restricted intelligence, and covered technical information (CTI).
To protect these forms of information, the NIST SP 800-171 uses a complex set of controls, called “Requirements,” divided out across 14 “Requirement Families.” The bulk of this article will be spent defining each control. But first, let’s take a closer look at the framework’s organization.
NIST 800 171 Controls: The Complete Breakdown
The most recent edition of SP 800-171, revision 2, was published in February of 2020. It addresses requirements for the protection of CUI laid out in Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. It’s also informed by other Federal Information Processing Standards Publications (FIPS) 199 and FIPS 200 and other standards.
The core of NIST SP 800-171 are its 14 Families and 110 Requirements, laid out in Chapter 3. Each Family contains a number of “Basic” Requirements, detailing baseline security practices. Most also have a number of “Derived” Requirements, adding on more nuanced controls.
The enumeration scheme in SP 800-171 reflects Chapter, Family, and respective Requirement. Thus, NIST 800 171 control 3.1 1 is thus the first Requirement, reflecting Chapter 3, Family 1, and Requirement 1 within Family 1. The numbers are not cumulative and can be hard to follow; NIST 800-171 control 3.5.2 and NIST 800-171 control 3.5.3 are #45 and #46, respectively.
Now, let’s take a close look at all of them to understand what implementation entails.
Access Control Requirements
Basic Access Control security Requirements include:
- 3.1.1 – Limit access to only authorized users and entities acting on their behalf.
- 3.1.2 – Limit access to only usage types permitted for said authorized users.
Derived Access Control security Requirements include:
- 3.1.3 – Control “flow of CUI” (where it can travel, how, under what conditions).
- 3.1.4 – Prevent non-colluded (spontaneous) malevolent activity with separation of duties.
- 3.1.5 – Use the “least privilege” principle, permitting as little access as possible in all cases.
- 3.1.6 – Use accounts without privileges for non-security purposes, when possible.
- 3.1.7 – Prevent and log the use of privileged functions from non-privileged accounts.
- 3.1.8 – Limit the number of unsuccessful login attempts possible before locking the account.
- 3.1.9 – Provide notices for privacy and security in accordance with applicable CUI rules.
- 3.1.10 – Lock sessions with pattern-hiding displays after periods of user inactivity.
- 3.1.11 – Define conditions for automatic termination of access sessions.
- 3.1.12 – Closely monitor and strictly control remote access sessions.
- 3.1.13 – Use cryptography to ensure confidentiality of remote access sessions.
- 3.1.14 – Manage remote access sessions via routed access control points.
- 3.1.15 – Require authorization for remote access and execution of privileged functions.
- 3.1.16 – Require authorization for wireless access prior to enabling connection.
- 3.1.17 – Utilize encryption and authorization to protect wireless access.
- 3.1.18 – Enforce strict control over connections to and with mobile devices.
- 3.1.19 – Use encryption for CUI stored in or accessed on mobile devices and platforms.
- 3.1.20 – Limit and verify connectivity with and use of external systems.
- 3.1.21 – Strictly limit the use of portable storage and related to external devices.
- 3.1.22 – Control posting and processing of CUI on publicly accessible systems.
Awareness and Training Requirements
Basic Awareness and Training Security Requirements include:
- 3.2.1 – Ensure personnel is aware of risks and safeguards associated with their duties.
- 3.2.2 – Ensure personnel is trained and able to carry out security responsibilities.
There is just one derived Awareness and Training security Requirement:
- 3.2.3 – Train personnel on how to recognize and respond to insider threats.
Audit and Accountability Requirements
Basic Audit and Accountability security Requirements include:
- 3.3.1 – Audit and log records; respond appropriately to unlawful or unauthorized activity.
- 3.3.2 – Ensure system users’ actions can be traced to them, uniquely and specifically.
Derived Audit and Accountability security Requirements include:
- 3.3.3 – Regularly review logged events from audits and update accordingly.
- 3.3.4 – Alter audit procedures and logs in the event of a failure in the logging process.
- 3.3.5 – Correlate processes of review and analysis of and reporting on audit records.
- 3.3.6 – Use “record reduction” and report generation to facilitate analysis on-demand.
- 3.3.7 – Synchronize internal clocks with authoritative sources for accurate time stamps.
- 3.3.8 – Prevent unauthorized access, modification, and/or deletion or audit logs.
- 3.3.9 – Restrict audit and logging management, by privilege, limiting the scope of access.
Configuration Management Requirements
Basic Configuration Management security Requirements include:
- 3.4.1 – Maintain and inventory configuration settings for all organizational systems.
- 3.4.2 – Enforce relevant security settings requirements for all technology products.
Derived Configuration Management security Requirements include:
- 3.4.3 – Monitor, approve, or disapprove, and log all changes to organizational systems.
- 3.4.4 – Prior to implementing new configurations, analyze security impact(s) thereof.
- 3.4.5 – Approve and enforce restrictions (logical and physical) related to changes.
- 3.4.6 – Use the “least functionality” principle, limiting capabilities to essential functions only.
- 3.4.7 – Limit as much as possible (disallow and disable) nonessential functionalities.
- 3.4.8 – Use “blacklisting” (deny by exception) or “whitelisting” (permit by exception).
- 3.4.9 – Closely monitor and strictly control software installed by users.
Identification and Authentication Requirements
Basic Identification and Authentication security Requirements include:
- 3.5.1 – Identify users, devices, and processes or entities acting on their behalf.
- 3.5.2 – Verify or authenticate identity prior to granting access to organizational systems.
Derived Identification and Authentication security Requirements include:
- 3.5.3 – Use multi-factor authentication (MFA), depending on access type and privilege.
- 3.5.4 – Use “replay-resistant” mechanisms for network access, regardless of privilege.
- 3.5.5 – Once credentials are assigned, prevent their re-use for a predetermined period.
- 3.5.6 – After a prolonged absence or period of inactivity, disable such user’s credentials.
- 3.5.7 – Require frequent updates and strong minimum complexity for passwords.
- 3.5.8 – Require new, unique passwords, disabling re-use of past credentials.
- 3.5.9 – Enable temporary password use for re-establishing permanent credentials.
- 3.5.10 – Ensure stored and transmitted passwords are protected with encryption.
- 3.5.11 – Obscure feedback about authentication credentials and related information.
Incident Response Requirements
Basic Incident Response security Requirements include:
- 3.6.1 – Implement a plan for preparation, detection, analysis, recovery, and response.
- 3.6.2 – Monitor, document, and report incidents to internal and external authorities.
There is just one derived Incident Response security Requirement:
- 3.6.3 – Test incident response plan at regular intervals to ensure fidelity.
Basic Maintenance security Requirements include:
- 3.7.1 – Perform regular and on-demand maintenance on all organizational systems.
- 3.7.2 – Specify maintenance protocols for personnel, procedures, tools, etc. to be used.
Derived Maintenance security Requirements include:
- 3.7.3 – Sanitize traces of CUI off of all equipment removed or transported off-site.
- 3.7.4 – Check any diagnostic or testing programs for malicious code prior to use.
- 3.7.5 – Use MFA for remote maintenance and terminate access immediately after.
- 3.7.6 – When maintenance is performed by non-privileged users, supervise carefully.
Media Protection Requirements
Basic Media Protection security Requirements include:
- 3.8.1 – Physically safeguard physical and digital media containing CUI.
- 3.8.2 – Restrict access to media containing CUI to only privileged users.
- 3.8.3 – Before disposing or re-using, sanitize media of all traces of CUI.
Derived Media Protection security Requirements include:
- 3.8.4 – Mark media containing CUI and limit distribution thereof accordingly.
- 3.8.5 – Control access to CUI-media and remain accountable during transport thereof.
- 3.8.6 – Use encryption or physical safeguards to protect CUI-media during transport.
- 3.8.7 – Limit the use of “removable media” (flash drives, etc.) on system components.
- 3.8.8 – Prohibit the use of portable storage if the owner thereof cannot be determined.
- 3.8.9 – Maintain backup locations for CUI and confidentiality of such locations.
Personnel Security Requirements
Basic Personnel Security Security Requirements include:
- 3.9.1 – Before authorizing individuals’ access to CUI, screen carefully for threats.
- 3.9.2 – Ensure security before, during, and after transitional events (hiring, firing, etc.).
There are no derived Personnel Security Requirements.
Physical Protection Requirements
Basic Physical Protection security Requirements include:
- 3.10.1 – Limit access to systems and operating environments to authorized personnel.
- 3.10.2 – Safeguard facilities and supporting infrastructure for systems and media.
Derived Physical Protection security Requirements include:
- 3.10.3 – Monitor visitor activity; supervise and/or escort all clientele, visitors, etc.
- 3.10.4 – Log (and maintain logs for) physical access to organizational systems.
- 3.10.5 – Closely monitor and strictly control physical access devices (keys, etc.).
- 3.10.6 – Safeguard CUI and related systems and media at alternate work sites.
Risk Assessment Requirements
There is just one basic Risk Assessment security Requirement:
- 3.11.1 – Regularly assess risks to operations, assets, and individuals (related to CUI).
And there are two derived Risk Assessment security Requirements:
- 3.11.2 – Scan for vulnerabilities in systems both periodically and on-demand.
- 3.11.3 – Address vulnerabilities in accordance with risk management protocols.
Security Assessment Requirements
Basic Security Assessment security Requirements include:
- 3.12.1 – Assess security controls, system-wide, and per application, periodically.
- 3.12.2 – Correct identified deficiencies and vulnerabilities systematically.
- 3.12.3 – Maintain ongoing monitoring of security controls, ensuring efficacy.
- 3.12.4 – Maintain system plans describing system boundaries, operational environments, methods of security requirement implementation, etc.
There are no derived Security Assessment security Requirements.
System and Communications Protection Requirements
Basic System and Communications Protection security Requirements include:
- 3.13.1 – Strictly monitor and control communications at internal and external boundaries.
- 3.13.2 – Promote security with architecture, software, and engineering principles.
Derived System and Communications Protection security Requirements include:
- 3.13.3 – Partition system management functionality and user functionality.
- 3.13.4 – Prevent unauthorized transfer of information with or via shared resources.
- 3.13.5 – Use subnetworks for publicly accessible media, separate from internal systems.
- 3.13.6 – Apply the “whitelist” principle to all network communications traffic.
- 3.13.7 – Prevent “split tunneling” (simultaneous access to internal/ external networks).
- 3.13.8 – Use cryptography or physical methods to protect CUI during transmission.
- 3.13.9 – Terminate network connectivity after sessions related to communication.
- 3.13.10 – Manage “keys” for cryptography used in or for organizational systems.
- 3.13.11 – Utilize cryptography up to FIPS standards for the protection of CUI.
- 3.13.12 – Prevent and report remote use of “collaborative computing devices.”
- 3.13.13 – Closely monitor and strictly control the use of mobile code.
- 3.13.14 – Enforce tight control over Voice over Internet Protocol (VoIP).
- 3.13.15 – Ensure the privacy and authenticity of all communications sessions.
- 3.13.16 – When CUI is “at rest,” protect its confidentiality.
System and Information Integrity Requirements
Basic System and Information Integrity security Requirements include:
- 3.14.1 – Monitor for, identify, report, and alleviate flaws as soon as possible.
- 3.14.2 – Designate locations for (and provide) special protection from malicious code.
- 3.14.3 – Closely monitor security advisories and alerts; respond immediately to them.
Derived System and Information Integrity security Requirements include:
- 3.14.4 – Maintain up-to-date protective mechanisms for malicious code.
- 3.14.5 – Scan systems periodically and scan external files in real-time as they appear.
- 3.14.6 – Closely monitor systems/communications for indicators of potential attacks.
- 3.14.7 – Identify and prevent unauthorized use of organizational systems.
Ensuring NIST 800-171 Compliance
Having a deep understanding is a prerequisite to NIST 800-171 compliance. But implementing all 110 Requirements is about more than just knowing them back and forth. You also need to have the expertise and resources in place to ensure the long-term maintenance of every control.
For example, consider NIST 800-171 control 3.12.4, related to “system security plans” and “system boundaries.” These are likely to change over time as your company grows. So, what it takes to implement it a year from now might drastically outweigh what it takes to implement it right now. Plus, you also have to worry about other regulatory frameworks, like the CMMC.
That’s why your best bet for long term compliance, with everything you need to be a DoD contractor, is RSI Security’s NIST 800-171, DFARS, and CMMC services. Our experts will work with you to craft a planned walk through every stage of certification. We’re here for the long hall.
Contact RSI Security today to see how simple implementing NIST 800 171 controls can be!