In order to work with the US Department of Defense (DoD), companies need to strengthen their cyberdefenses to avoid compromising the security of our armed forces and, by extension, all Americans. Doing so requires complying with Special Publication 800-171, a publication of the National Institute of Standards and Technology (NIST). Following all NIST SP 800 171 requirements is just the first step toward DoD preferred contractor status.
Overview of NIST SP 800-171 Requirements
Securing lucrative DoD contracts involves an in-depth, practical understanding of the history and current state of NIST SP 800 171. Your company will also need to know where its various requirements come from and what other regulatory frameworks apply to you. So, in the sections that follow, we’ll break down everything you need to know, including:
- The background and current state of NIST SP 800 171 Requirements
- Other essential requirements for DoD contractors, namely CMMC
By the end of this article, you’ll be ready to start your road to compliance and preferred contractor status. But first, let’s take a quick look at who needs to be compliant and why.
Who Needs to Comply with NIST SP 800-171
Companies that work with the DoD make up the Defense Industrial Base (DIB) sector, a supply chain that spans all industries (from tech startups to multinational manufacturing firms). All the businesses within the DIB sector share their proximity to sensitive DoD data.
In particular, there are two forms of information that the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 requires all DoD contractors to protect:
- Covered Defense Information (CDI) – Data on or pertaining to operational security (OpSec) or covered technical information (CTI), including but not limited to training documents and manuals for operating and maintenance of defense technology
- Controlled Unclassified Information (CUI) – Information that is not classified but is nonetheless protected by federal, state, or local statutes, also known as “for official use only” (FOUO), “sensitive but unclassified” (SBU), or “law enforcement sensitive” (LES)
Any company that processes, stores, or otherwise comes into contact with these forms of data need to undergo NIST SP 800-171 DoD assessment of proper protections and safeguards.
NIST SP 800 171: History and Current State
At first, NIST SP 800 171 intended its audience to be IT and related employees of federal agencies and adjacent companies. Its purpose was to unify cybersecurity controls to protect said organizations’ interests, which now extends out to all prospective DoD contractors.
Ever since the first complete edition of SP 800-171 published in June of 2015, it has been an omnibus framework combining various controls and practices from other inputs. The most foundational are NIST’s own Cybersecurity Framework (CSF), the ISO/IEC 27002:2013, and the Federal Information Processing Standards Publications (FIPS) 199 and 200.
While there have been several changes and updates to the framework, its core has remained relatively the same since 2015. The detailed breakdown of this core below is sourced from the most recent and current version, NIST SP 800 171 Revision 2, published in February of 2020.
Requirement Families and Requirements
The core of NIST SP 800 171 comprises 110 Security Requirements, distributed across 14 distinct Requirement Families. Each Family consists of at least one Basic Requirement, and most Families also include Derived Requirements. The Requirement Families break down as follows:
- Access Control – Comprising 22 Requirements (two Basic, 19 Derived) governing ways in which access to CDI, CUI, and other protected information is granted and restricted
- Awareness and Training – Comprising 3 Requirements (two Basic, one Derived) governing how often regular and special training activities occur and what content they must cover
- Audit and Accountability – Comprising nine Requirements (two Basic, seven Derived) for regular external auditing, logging, and protection of audit information for accountability
- Configuration Management – Comprising nine Requirements (two Basic, seven Derived) related to specific settings and configurations for software and hardware, beyond their defaults
- Identification and Authentication – Comprising 11 Requirements (two Basic, nine Derived) governing user passwords, multi-factor authentication (MFA), and other credentials
- Incident Response – Comprising three Requirements (two Basic, one Derived) governing a company’s programmatic response to identified hacks, breaches, and other events
- Maintenance – Comprising six Requirements (two Basic, four Derived) specifying schedules for regular, routine maintenance and protocols for special, reparative procedures
- Media Protection – Comprising nine Requirements (three Basic, six Derived) governing the minimum safeguards for media and servers directly connected to CDI, CUI, etc.
- Personnel Security – Comprising two Requirements (both Basic) governing screening, onboarding, and ongoing security monitoring of personnel to combat insider threats
- Physical Protection – Comprising six Requirements (two Basic, four Derived) specifying physical, proximity-based safeguards for hardware related to CDI, CUI, etc.
- Risk Assessment – Comprising three Requirements (one Basic, two Derived) governing the programmatic approach to monitoring for, analyzing, and mitigating security risks
- Security Assessment – Comprising four Requirements (all Basic) specifying protocols for routine or special company-wide assessments and corrective measures, they inform
- System and Communications Protection – Comprising 16 Requirements (two Basic, 14 Derived) governing minimum protections for communication networks and systems
- System and Information Integrity – Comprising seven Requirements (three Basic, four Derived) for swiftly identifying and correcting gaps or flaws in cybersecurity infrastructure
Each Requirement is accompanied by a description of its controls and an informative discussion section that recommends a potential implementation. Notably, the discussion is not meant to be normative; instead, companies can choose to implement the controls in any way they see fit.
Other Compliance Requirements for DoD Contractors
The other main requirement for prospective DoD contractors is the Cybersecurity Model Maturity Certification (CMMC), published by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The CMMC comprises 17 Domains, encompassing all of the NIST SP 800 171 Requirements and Families, along with three additional areas:
- Asset Management – Specific controls and safeguards tailored to the kinds of physical and virtual assets (smart devices, servers, web applications) your company uses
- Recovery – Controls and practices designed to maximize efficacy and efficiency of recovery during and after a cybersecurity event, especially restoration of service
- Situational Awareness – Integration and mobilization of threat intelligence specific to your company’s industry, competitors, and other factors of its unique positionality
The most significant difference between the CMMC and NIST SP 800-171, apart from its grander and deeper scope, is that it allows for a more gradual adoption across five maturity levels:
- Maturity Level 1 – Focused on safeguarding federal contract information (FCI); practices constitute “basic cyber hygiene” and processes must be simply “performed”
- Maturity Level 2 – Focused on transitioning toward CUI protection at level 3; practices constitute “intermediate cyber hygiene” and processes must now be “documented”
- Maturity Level 3 – Focused on comprehensive protection of FCI and CUI; practices constitute “good cyber hygiene” and processes must now be “managed”
- Maturity Level 4 – Focused on CUI and advanced persistent threats (APT); practices focus on “proactive” measures and processes must now be “reviewed”
- Maturity Level 5 – Focused on comprehensive safeguards for APT; practices are proactive and “advanced,” and processes are now continuously “optimizing”
There are 171 cybersecurity practices distributed across the 17 Domains and five Maturity Levels of the CMMC. NIST SP 800-171 is a primary source for facilitating their adoption.
How to Achieve Compliance and Certification
Another element that differentiates CMMC from NIST SP 800 171 is how certification works. To become fully CMMC compliant, it is not enough to implement all practices to the required process maturity at each level. Your company must also seek verification from a Certified Third Party Assessment Organization (C3PAO), qualified by the CMMC Accreditation Body.
RSI Security is a C3PAO that delivers certification along with a broader suite of CMMC advisory services. Our team of experts will work with your internal IT staff to build your controls from the ground up, then verify your verification at each maturity level once you’re ready for it. We’ll work with you to map your CMMC controls onto SP 800 171 and all frameworks you need to follow.
Professional Compliance and Cybersecurity
Here at RSI Security, we know how crucial regulatory compliance is — for all companies, but especially those looking to work with the DoD. But we also know that compliance is not the end of cybersecurity; it’s just the beginning. That’s why we’re happy to help you meet all NIST SP 800 171 requirements and even exceed them, building out a cybersecurity architecture that will protect you and your stakeholders over the long term. Contact RSI Security today to get started!