The National Institute of Standards and Technology (NIST) published its first draft of Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, back in December of 2016. It’s undergone several revisions since then, with the final version of NIST 800-171 Revision 1 published in 2018 (and Rev 2 in 2020).
The document is one of a handful that seeks to unify cybersecurity standards for companies seeking contracts with the United States Department of Defense (DoD), and compliance is a crucial step toward being not just a DoD “preferred” contractor, but to work with them at all.
This guide breaks down what changes came with Rev 1 and how to ensure compliance.
Overview of NIST 800-171 Revision 1
The network of vendors and suppliers that contract with the DoB makes up one of the most critical industries in the country, the Defense Industrial Base (DIB) sector. Protecting the DIB is essential for national security. One data breach could compromise the position of the DoD and, by extension, Americans serving in the armed forces and all the citizens they protect.
Hence the importance of cybersecurity, which NIST 800-171 and other regulatory guidelines standardize. In the sections below, we’ll break down everything you need to know, including:
- What NIST 800-171 Rev 1 comprises
- How to ensure compliance, Rev 2 and beyond
By the end, you’ll be prepared to meet the DoD’s cybersecurity standards. But before getting into all the nitty-gritty details of Rev 1 contains, let’s go over the fundamental changes it introduces.
NIST 800 171 Rev 1 Changes at a Glance
The final document of SP 800-171 Revision 1, incorporating changes up to June of 2018, includes an Errata section that documents all previous version changes. Information tracked has the change’s date, the page it’s located on, and the change’s substance.
Most interestingly, it also includes a category of change:
- Editorial – Grammatical or stylistic changes intended to clarify the meaning, generally not adding new content (just replacing or removing individual words or phrases).
- Substantive – These are bigger and more significant changes, such as additional descriptions, entirely new sections, appendices, call-out boxes, or other new content.
There are 139 changes in total, including [Y] editorial and [Z] substantive changes made between November of 2017 and June of 2018. Almost all are minor. There have been no major changes to the core of the Requirements and Families (detailed below).
The biggest change in Rev 1, by far, is the substantive addition of Appendix F, “Discussions.”
Appendix F adds a significant amount of content in reasoning and situational guidance for all 110 Requirements in 40 new pages at the end of the document. Later Revs will reposition this content within Chapter 3 proper. But in Rev 1, Appendix F’s entries link back to each Requirement’s position under its respective Family in Chapter 3 for easy referencing.
NIST 800-171 Revision 1: The Complete Guide
The NIST 800-171 is far from the only cybersecurity document potential DoD contractors should consider. It pulls from and is informed by various other standards and regulations. Namely, many of its basic concepts and controls are informed by NIST’s Cybersecurity Framework (CSF) and Federal Information Processing Standards Publications (FIPS) 199 and 200.
In addition, many of the controls in NIST 800-171 map directly onto several other frameworks, like the ones named above, as well as ISO/IEC 27002:2013 and other international standards.
Most importantly, the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 requires all DoD contractors to protect special classes of information:
- CUI: Controlled Unclassified Information – Also known as “Sensitive but Unclassified” (SBU), “Law Enforcement Sensitive” (LES), or “For Official Use Only” (FOUO), CUI includes unsealed forms and documents that are protected by other means, such as official regulations, laws, and bylaws, or confidentiality requirements.
- CDI: Covered Defense Information – Documents and other data pertaining to matters like operational security (OPSEC) or covered technical information (CTI), such as technical manuals and instructional content intended for internal military use only.
The main function NIST 800-171 serves is to standardize the protection of these particular information classes. To do this, it details 110 security controls, labeled “Requirements,” which break down across 14 “Requirement Families.” Let’s take a closer look at this core.
Requirements and Families in NIST 800-171 Revision 1
The 14 Requirement Families of the NIST 800-171 comprise interlocking domains of physical organizational and technological cybersecurity. Each includes at least 1 “Basic” Requirement, setting out the simplest measures, and having a number of “Derived” Requirements.
Here is a breakdown and synopsis of each Family’s scope in Rev 1:
- Access Control – Defining the basic processes that authenticate and grant or deny access to CUI and CTI, including 2 Basic and 19 Derived Requirements (22 total).
- Awareness and Training – Governing levels of awareness that must be cultivated through education programs, including 2 Basic and 1 Derived Requirements (3 total).
- Audit and Accountability – Defining standards for regular audits and logging thereof to enforce accountability, including 2 Basic and 7 Derived Requirements (9 total).
- Configuration Management – Detailing the particular security standards needed for device and software settings, including 2 Basic and 7 Derived Requirements (9 total).
- Identification and Authentication – Further defining (with Access Control) standards for user account credentials, including 2 Basic and 9 Derived Requirements (11 total).
- Incident Response – Governing the specific, programmatic response taken to breaches and other security incidents, including 2 Basic and 1 Derived Requirements (3 total).
- Maintenance – Defining minimum standards for both routine and special maintenance procedures after security events, including 2 Basic and 4 Derived Requirements (6 total).
- Media Protection – Detailing specific protections for media and devices containing media related to CUI and CTI, including 3 Basic and 6 Derived Requirements (9 total).
- Personnel Security – Further governing (along with AT) safety amongst staff, expanding out to hiring processes, including just two total Requirements, both Basic.
- Physical Protection – Detailing specific safeguards to limit physical and proximal access to CUI and CTI, including 2 Basic and 4 Derived Requirements (6 total).
- Risk Assessment – Governing the systematic approach to scanning for, identifying, addressing, and mitigating risk, including 1 Basic and 2 Derived Requirements (3 total).
- Security Assessment – Detailing minimum frequency and processes for regular and special assessments of system security, including just four total Requirements, all Basic.
- System and Communications Protection – Governing the safeguards used to monitor and protect communications, including 2 Basic and 14 Derived Requirements (16 total).
- System and Information Integrity – Specifying standards for identifying and correcting flaws in security infrastructure, including 3 Basic and 4 Derived Requirements (7 total).
Across all Families, there are no major changes between Rev 1 and the original document. The addition of Appendix F, as noted above, does add a significant amount of guidance concerning implementing the Requirements. But the Requirements themselves are basically the same.
Supplements to Revision 1: NIST 800-171A and 800-171B
Implementing all 110 Requirements of NIST 800-171 Rev 1, across its 14 Families, can be a challenging undertaking for any institution. However, NIST also provides two main texts to supplement the framework, offering support for the assessment of implementation as well as further details to extend its protections: SP 800-171A and SP 800-171B, or SP 800-172 (draft).
In particular, SP 800-171 A is dedicated to assessment. It breaks down the metrics by which an institution’s performance will be assessed to:
- Identify flaws in security and risk management
- Identify weaknesses in systems and environments
- Prioritize which risks should be addressed first
- Confirm proper mitigation measures for known risks
- Support further and future Requirement implementation
On a different front, SP 800-172, still in draft form, actually builds on the 110 Requirements in 800-171 to guarantee further confidentiality, integrity, and availability of CUI with:
- Penetration resistant architecture (PRA)
- Damage limiting operations (DLO)
- Cyber resiliency survivability (CRS)
Taken together, these “Enhanced” Requirements target advanced persistent threats (APT). Many are not required yet, but still worth learning. Understanding them now can help an institution prepare for long-term compliance with NIST, beyond Rev 1 (and 2, etc.).
NIST 800-171 Compliance, Revision 2 and Beyond
As noted above, Rev 1 of NIST SP 800-171 is no longer current. Superseding it, SP 800-171 Rev 2 was published in February of 2020, and Rev 1 is set to be withdrawn (obsolete) as of February of 2021. Luckily, there are few changes evident in the newest, up-to-date version.
The Errata page for Rev 2 is blank, which is curious considering a rather sizeable aesthetic change made to the document. Content that formerly appeared in Appendix F, “Discussions,” is distributed throughout the list of Requirements in Chapter 3, as of Rev 2. While their substance remains mostly unchanged, this repositioning makes Chapter 3 longer and removes the need to cross-reference to the end of the text while searching to explain each Requirement.
Beyond this, Rev 2 comprises 110 Requirements across 14 Families, just like Rev 1. Like Rev 1, Rev 2 is supplemented by the same materials (800-171A and 800-171B/ 800-172 draft).
That is to say; compliance can be just as challenging with Rev 2 as it was with Rev 1.
To maintain compliance with 800-171, the supplemental materials detailed above may not be sufficient. Many organizations find that external resources, like NIST 800-171 tipsheets or comprehensive NIST 800-171 services, are the best way to keep track of implementation.
Further DoD Cybersecurity Requirements
Finally, another layer of complexity is added because NIST 800-171 is not the only regulatory framework applied to prospective DoD contractors. Such DIB businesses will also need to comply with the Cybersecurity Maturity Model Certification (CMMC), presided over by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).
The CMMC is a novel framework that, unlike NIST 800-171, allows for a gradual, stepwise implementation of its controls. This is because cybersecurity fidelity is measured across 5 Maturity Levels, each of which has a particular practice and process goal:
- Maturity Level 1, comprising “basic cyber hygiene.”
- Maturity Level 2, comprising “intermediate cyber hygiene.”
- Maturity Level 3, comprising “good cyber hygiene.”
- Maturity Level 4, branching into “proactive” cybersecurity.
- Maturity Level 5, achieving “advanced/progressive” posture.
Across these 5 levels, institutions implement a total of 171 Practices, which are roughly analogous to the Requirements of NIST 800-171. The Practices are organized into Domains, totaling 17, which encompass the 14 Families of NIST 800-171, in addition to:
- Asset Management (AM) – Governing the particular methods an institution uses to monitor and account for its assets, including specific documentation protocols.
- Recovery (RE) – Detailing the programmatic approach an institution takes to responding to and recovering from a cybersecurity incident, immediately and over the long term.
- Situational Awareness (SA) – Defining the specific parameters and thresholds for knowledge and research into an institution’s cybersecurity environment and positionality.
Across the 17 total Domains, there are also 43 capabilities, more or less evenly distributed across them. Implementation of the CMMC at each level, especially the first three levels, is aided by the fact that it incorporates other frameworks (NIST 800-171, etc.) entirely. Nevertheless, comprehensive, CMMC advisory services can be the best way to stay compliant.
Compliance and Cybersecurity, Professionalized
Here at RSI Security, we are dedicated to helping companies of all sizes and types keep their stakeholders safe. We’re especially attuned to how important this work is for DoD contractors, considering the vast implications of a data breach that impacts the DIB. Our team of experts is certified to help with all stages of implementation, compliance, and certification.
Plus, we know that compliance isn’t the end of cybersecurity; it’s just the start.
We are also happy to help with any other cyberdefense solutions you may need, DoD or otherwise. Whether you’re in the early stages of architecture implementation or advanced territory like penetration testing, we’re your first and best option. Contact RSI Security today to see how simple NIST 800-171 Revision 1 can be, how powerful your cybersecurity can become.