If your organization works directly with the Federal Government, chances are, you may be familiar with NIST 800-171 compliance. Developed by the US National Institute of Standards and Technology (NIST), this set of guidelines dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI) and Personally Identifiable Information (PII) such as social security numbers, medical records and other data.
At a glance, NIST 800-171 encompasses best practices from a variety of security documents and organizations and prevents contractors from sharing confidential information while it’s in their possession. The NIST authors explain that the compliance “provides general descriptions for each [category and subcategory], identifies the basis for controls, and sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information.”
Essentially, there are 14 controls related to the compliance requirements:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Focus on Systems Protection
As companies acquire more and more data and applications, the application layer of an IT infrastructure becomes an easy target for hackers due to its vulnerability. While organizations spend between 45 and 50 billion dollars annually on security, a tiny percentage of that investment goes to safeguarding applications. That’s why over 84% of cyber attacks that took place in the past five years were performed on the application layer.
To help safeguard applications, Section 3.11.2 of NIST requires contractors to periodically conduct a risk assessment by scanning for new vulnerabilities in the applications and systems. Contractors are also required to monitor systems and remediate vulnerabilities as they occur. This means that, as a contractor, it’s your responsibility not only to provide risk assessments but also to supply security services to customers whether on-premise or in the cloud.
7 Tips for NIST 800-171 Compliance
Contractors who wish to keep existing jobs and win new bids will have to comply with NIST 800-171 as it provides consistency toward limiting the risk of significant data breaches. You can achieve NIST 800-171 compliance by following these steps:
- Locate systems that hold CUI. This includes local and cloud storage, endpoints and even portable drives.
- Classify and separate files that hold CUI from information that’s not qualified to demonstrate NIST 800-171 compliance in the event of an audit.
- Implement Role-Based Access Control (RBAC), so only authorized employees can view and manage classified data.
- Encrypt data to ensure an additional security layer for the systems that hold and transmit it. Encrypted data enables compliance while providing authorized users with an ability to share files through familiar systems safely.
- Monitor user patterns. NIST 800-171 requires contractors to trace the actions of users with CUI-level access to hold them accountable in the event of malicious action.
- Educate your employees on the information exchange governance and ensure they are aware of the security risks associated with handling CUI.
- Regularly conduct security risk assessments by examining all systems and information exchange protocols.
Finding The Right Solution
While the primary goal of NIST 800-171 is to ensure that an organization’s infrastructure is secure, following its guidance doesn’t fully protect your customers from malicious attacks and data loss. At the end of the day, your success depends on the ability to provide customers with a healthy security posture. Finding a security solution that can prioritize cyber assets and identify risk threshold and optimal monitoring frequency is the first step to ensure your organization is compliant with NIST.
5nine Cloud Security can help you meet compliance for NIST 800-171 and achieve multi-layered protection at every point of attack with:
- Network Traffic Control: Integrated virtual firewall controls and isolates traffic between all types of VMs, regardless of guest OS
- Rule-Based Security Groups: Flexibility to create security groups for virtual machines based on customized network traffic rules, including CUI data
- Intrusion Detection: Integrated Cisco Snort IDS system identifies and alerts on a variety of attacks and probes – including buffer overflows, CGI attack and stealth port scans
- Multitenancy and VM Isolation: Tenants are automatically locked down, reducing the risk of threats passing between them
- Adaptive Threat Analytics and Alerts: Machine learning engine continuously monitors traffic to establish a normalized baseline, and subsequently alerts administrators of aberrations/deviations that require investigation
With 5nine Cloud Security, organizations can take advantage of a simple GUI console, virtual firewall, agentless antivirus with optimized scanning, deep packet inspection, intrusion detection (IDS), and network analytics with the granular user and tenant access control. Today, businesses of any size can meet their industry’s compliance and regulatory needs by deploying 5nine Cloud Security.
Maria is a strategic marketer who brings over a decade of digital marketing experience to 5nine. As a software industry insider, she brings a fresh voice and insight into content development projects at 5nine. Maria enjoys making complex topics accessible and engaging to various audiences by addressing their pain points and tailoring solutions that help IT professionals optimize and streamline their business processes.