In April of 2015, NIST published the first public draft of a document called SP800-171 which describes requirements for protecting Controlled Unclassified Information (CUI) on nonfederal information systems and organizations. The government also published a regulation (DFARS 252.204-7012) that states that any entity that collects, develops, receives, transmits, uses, or stores defense information in support of a government contract must abide by the guidance in SP800-171 with a compliance deadline of December of 2017.
In February 2020, NIST published SP800-171 r2. The revision includes minor editorial changes to the original publication in Chapter One (Introduction), Chapter Two (The Fundamentals), Glossary, Acronyms, and Referenced Appendices. No changes were made to Chapter Three (The Requirements).
What does all of this mean?
In short, if you are a government defense contractor and you receive controlled unclassified information, you must comply with NIST SP800-171. In some cases, if you are a downstream vendor of a government contractor, you will likely to also be asked about compliance.
There are 14 categories outlined in the guidance listed below:
● Access Control
● Media Protection
● Awareness and Training
● Personnel Security
● Audit and Accountability
● Physical Protection
● Configuration Management
● Risk Assessment
● Identification and Authentication
● Security Assessment
● Incident Response
● System and Communications Protection
● System and Information Integrity
Each category has numerous objectives that must be achieved that consist of various processes, procedures, and systems that may have to be implemented in order to achieve compliance with this mandate. There have been many articles written on this topic and how to comply, which typically consist of the usual technical controls such as encryption, firewall rules, and multi-factor authentication, but much of this information is process related, not technical, making it obscure and difficult to read.
The good news is that many organizations are already in compliance with quite a few of the objectives listed above. Most gaps exist where controls need to be strengthened, policies need to be created, and where acquisition of additional software/hardware needs to be considered. A lot of organizations can handle many of these tasks in-house, but don’t discount the benefit of an external IT consultant that has experience with this regulation and can provide assistance in closing the gap or providing service/software.
Putting together a game plan for compliance can be a daunting task – especially if you don’t know how to comply with items such as Performing a Risk Assessment or Creating a Vulnerability Program. Peters & Associates can help you put together a strategy for understanding where the gaps are and executing the project to close those gaps. Compliance initiatives are something we work with continually across many industries. Contact us today for more information at firstname.lastname@example.org or 630.832.0075.
Learn more about our Vulnerability Scan and Report Free Trial
Initially published April 26, 2017 – Updated December 3, 2020