The protection of controlled unclassified information (CUI) in non-federal systems and organizations is as important as the security of the federal government data and information. This is because a threat to CUI in non-federal systems could disrupt the proper running of federal government business. The NIST SP 800 171 Revision 1, also called the NIST SP 800-171 Rev. 1 was created to tackle this issue. To further strengthen the confidentiality of the data in CUI, the NIST SP 800-171 Revision 2, a revision of the NIST 800-171 Rev. 1, was published in February 2020.
The NIST 800 171 Revision 2, also known as the NIST SP 800-171 Rev. 2, protects controlled unclassified information in non-federal systems and organizations. Even if your organization was formerly NIST-compliant, you may now be non-compliant with NIST because of the most recent changes made to the NIST cybersecurity framework. Learn about the latest revisions here.
Controlled Unclassified Information (CUI)
You must know what CUI is because a proper knowledge of CUI will help you comply with the NIST SP 800 171 Rev. 2 changes. The NIST 800-171 Rev. 2 addresses issues concerning CUI. The policy and processes for CUI originated from a study within the Information Sharing and Collaboration Office of the Information Analysis and Infrastructure Protection Under Secretariat of the Department of Homeland Security in 2004.
The term “CUI” was coined by the authors of the study which reviewed over 140 various forms of unclassified information in use throughout the federal government at the time. CUI refers to sensitive data that are relevant to the business of the federal government but are being handled by non-federal or non-governmental organizations.
According to the National Archives and Records Administration, “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls according to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
What is the NIST SP 800-171?
The National Institute of Standards and Technology Special Publication (NIST SP 800-171) is a set of guidelines on how to handle and safeguard unclassified but sensitive information handled outside of the federal government jurisdiction. It serves as oversight for CUI in non-federal information systems and organizations.
The NIST SP 800-171 was created after the Federal Information Security Management Act (FISMA) was passed in 2003, resulting in numerous security requirements and policies. It was developed to bolster cybersecurity measures across the country, particularly after several widely-known breaches in recent years, including USPS (U.S. Postal Service) and NOAA (National Oceanic and Atmospheric Administration).
According to the National Institute of Standards and Technology, the NIST SP 800-171 assists the federal government to “successfully carry out its designated missions and business operations.”
NIST compliance is compulsory for every organization that intends to conduct business with federal government agencies. Non-compliance with NIST 800-171 could make you lose a big government contract, find yourself in breach of an existing contract, and even fraud.
NIST SP 800-171 Rev. 2 14-point Requirements
The NIST set out 14-point requirements that contractors who need access to CUI must implement. The NIST further verifies if the contractors comply with these requirements to ensure security protocols are created for the 14 key areas. These 14 key areas are discussed below:
- Access control: this key point requires limited access to authorized users, processes acting on behalf of the authorized users, and passive entities like devices. It’s expected that there’s restricted access to the transactions and functions an authorized user is permitted to execute. Access control allows the federal government, through the non-federal organizations handling the information, to determine those who have access to what and to what extent. Access control answers the question “who is authorized to view this data?”
- Awareness and Training: awareness ensures that stakeholders (managers, system administration, users of organizational systems, etc.) of CUI are well informed about the security risks associated with their activities, standards, applicable policies, and procedures related to the security of those systems.
Awareness of the security risks associated with these stakeholders’ activities will be done alongside training them on how to use and secure authorized access and how to identify potential insider threat indicators to CUI. The frequency of training is left to the discretion of organizations but it must be done as frequently as possible.
- Audit and Accountability: According to page 17 of the NIST SP 800-171 Revision 2, audit and accountability involves “Creating and retaining system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.” This means that records of all authorized and unauthorized access to CUI must be kept and violators must be properly identified and accounted for.
- Configuration Management: this involves establishing and maintaining baseline configurations and inventories of organizational systems (i.e. hardware, software, firmware, and documentation) throughout different system development life cycles. Also, it’s essential to implement and establish all security configuration settings for information technology products used in organizational systems. Organizational changes that are tracked, reviewed, approved, or disapproved should be recorded on the system.
- Identification and Authentication: this recognizes “system users, processes acting on behalf of users, and devices”. Some identification software that could be used to this effect are; Internet Protocol (IP) addresses, Media Access Control (MAC), or device-unique token identifiers, etc. To keep a highly secured network, there should always be a verification of the identity of users, devices, and processes as a condition for granting access to organizational systems.
- Incident Response: involves the establishment of an active incident-handling capability for organizational systems. This includes preparation, detection, analysis, containment, recovery, and user response duties. Measures put in place must track and report incidents to assigned officials both within and outside the organization.
- Maintenance: as the name depicts, organizational systems must undergo periodical sustenance and care. This comprises all types of maintenance on all the components of the organizational system (i.e., hardware, firmware, software, etc.).
- Media Protection: this addresses the protection of the system media that stores CUI either digitally or on paper. This security will then mean that both physical security and cybersecurity are put in place to curb any threat. Also, a major way for organizations to control access is by destroying the media system containing CUI before disposal or release for reuse.
- Personnel Security: this point addresses the scrutinizing of individuals before the authorization of access to organizational systems. This means for every individual that’s allowed to access the systems containing CUI, there must be adequate background checks about them to ascertain their integrity. The system housing CUI should go through organizational checks for security before and after access by individuals.
- Physical Protection: only individuals with authorized access should have physical access to organizational systems, equipment, and different operating environments for CUI. Suggested measures to put in place to ensure this includes the use of badges, smart cards, identity cards, etc. by authorized individuals. There must be proper documentation of the records of everyone accessing the system, as well as adequate monitoring of the CUI system’s environment through modern surveillance devices like CCTV.
- Risk Assessment: “Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. This also involves checking for vulnerabilities in organizational systems and applications. Identified vulnerabilities must be immediately rectified according to risk assessment guidelines.
- Security Assessment: requires a periodical assessment of security controls in the organizational system to ascertain that the controls are effective in their application. Plans of action to reduce or remove vulnerabilities and correct deficiencies should be designed and implemented. The implemented security controls should be monitored to ensure continual effectiveness.
- System and Communications Protection: requires that information transmitted and received by an organizational system must be monitored, controlled, and protected at external and key internal boundaries.
- System and Information Integrity: organizations must identify, report, and correct system flaws on time and proper report given to designated personnel. Protection should be made available at entry and exit points of the system to guard against malicious codes in the organizational system. System monitoring should identify and immediately rectify unauthorized use of the system.
The NIST SP 800 171 Revision 2 Changes
In the NIST SP 800-171 Rev 2., only a few changes have been made to the first edition. There are no changes to the derived and basic security requirements. The major thing that’s changed is the self-attestation. This means that self-attestation is not an option for companies that must adhere to NIST Sp 800 171 Revision 2 because of the release of the Cybersecurity Maturity Model Certification (CMMC).
After the movement of the Department of Defense (DoD) to the new CMMC framework, all companies that must comply with NIST SP 800-171 will have to collaborate with an approved and independent third-party organization. However, this doesn’t mean that all previous work done on supporting documents like System Security Plan (SSP) or Plan of Action and Milestone (POA&M) is a waste because these documents will still be useful to ascertain your compliance. Although, you must note that there are now a few changes to the method for providing evidence of compliance with the NIST SP 800-17.
Ensuring compliance with the NIST requires a third and independent party that’s passed the 14-point requirements of the NIST SP 800-171 Rev. 2. If you’re seeking to expand your business and especially gain entry into government circles, then you need to be NIST-compliant.
RSI security, America’s premier cybersecurity company, is well-informed on the NIST SP 800-171 Rev. 2 changes and well-equipped to ensure you’re NIST-compliant. Our experts will provide you with a step-by-step guide on how to achieve NIST compliance.