NIST 800-171 – It's not too late to comply

If you are doing business with the Federal Government and the scope of your work involves handling unclassified data, then you must have already heard about NIST 800-171. But, what does it really mean to you and to your organization? Are you 100% sure that you're compliant with these guidelines?

What is NIST 800-171?

Let's begin with the basics. On August 16, 2016, the National Institute of Standards and Technology (NIST) released Special Publication 800-171, Revision 1, or NIST 800-171 for short, titled: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

The document title alone is a mouthful, but there are two major takeaways: controlled unclassified information (CUI), and nonfederal information systems and organizations.

Controlled Unclassified Information (CUI)

After researching what CUI means, you may have come to the realization that even government agencies have different meanings for this kind of information. To this date, many agencies are still failing to properly label CUI. However, that doesn't preclude you from protecting the information.

CUI comes in many forms and flavors. In the past, you may have seen markings such as: For Official Use Only (FOUO), Sensitive But unclassified (SBU), Sensitive Security Information (SSI), among others.

Executive Order 13556 outlines the issues with unclassified information, and how inconsistencies in applying marking and safeguarding procedures create confusion. It outlines the new CUI designation and creates categories and subcategories to “serve as exclusive designations for identifying unclassified information throughout the executive branch that requires safeguarding or dissemination controls.”

Nonfederal Information Systems and Organizations

Any entity outside of the Federal Government is automatically classified as “nonfederal”. This includes, but it is not limited to: companies of all types (e.g. public and private corporations, partnerships, limited liability companies, S corps, etc.), non-profit entities, joint ventures, independent contractors, subcontractors, business partner, and any inherent information systems holding or hosting CUI.

There are 14 categories of security requirements that must be met. For convenience, these families can be grouped into four main areas:

  • Controls
  • Monitoring & Management
  • End User Practices
  • Security Measures

For a full comprehensive list, refer to NIST Special Publication 800-171.

Does it apply to me?

Ask yourself: Does your company conduct business, either directly or indirectly, as a tiered supplier with the US Federal Government or Department of Defense? If the answer is "yes", then it is very possible that you or your organization will need to comply with NIST 800-171.

You may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 by December 31, 2017. Keep in mind that even if you don’t receive notification, you may still need to comply.

The two most common misconceptions when it comes to the applicability requirement are:

  1. "Compliance is necessary for large organizations only."
    Whether you are a single contractor or a Fortune 500 company doing business with the Federal Government, compliance is equally required.
     
  2. "We don't work for the government."
    NIST 800-171 not only applies to organizations dealing directly with the government, but it also applies to all tiered organizations that either directly or indirectly sell to a government supplier. If you're part of the loop, then you need to comply.

Even if NIST 800-171 doesn’t apply to you, wouldn't you want to be ready for when it does?

Is there a certification process?

There is no defined certification process for NIST 800-171. Like PCI DSS and HIPAA, NIST 800-171 compliance is based on the honor system, where being “NIST 800-171 compliant” means that you are self-attesting that your organization complies with all of the applicable requirements. However, this may change in the future.

Am I too late?

NIST 800-171 requires that organizations reached compliance by December 31, 2017. If you're directly or indirectly dealing with the Federal Government, and you or your organization handles CUI, the time to act is now. It is never too late to start the path to compliance.

On the other hand, looking the other way or ignoring these guidelines can have dire consequences not only for you, but potentially for other organizations in the loop as well.

Contract Termination

Compliance with NIST 800-171 is referenced in DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls. It is anticipated that the Federal Acquisition Regulations (FAR) will be revised to incorporate NIST 800-171 guidelines, most likely under FAR 52.204-21. If your contract contains any of these clauses, then it is important that you or your organization complies with these contract terms. The U.S. Government has the right to terminate contracts with prime contractors over non-compliance. Subcontractor non-compliance may cause a prime contractor to be deemed non-compliant as well.

Criminal Fraud

Stating that you're compliant when you’re not could result in a misrepresentation of material facts, which is subject to laws such as the False Statements Act and the False Claims Act. These laws define false statements (or false claims) as any act intended to deceive the United States Government through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information. The consequences for violating these laws range from significant monetary penalties to imprisonment.

Breach of Contract Lawsuits

In addition to regulatory risks, both prime contractors and subcontractors could also be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).

What do I need to do?

If you're determined to go down the path to compliance, we have a few steps that can help kick start your process:

  1. Read the NIST 800-171
    It certainly helps to understand the source document. In addition to the requirements, it offers details about its purpose, target audience, references, and it also provides a comprehensive set of appendixes that help tailor your compliance process.
     
  2. Perform a "Gap" Analysis
    Based on the NIST 800-171 requirements, you can determine where you are currently compliant, and where you need to work.
     
  3. Map the CUI Data Flow
    Identifying which nodes within your network are used to store or process CUI can help you scope the level of effort really needed to reach full compliance.
     
  4. Assess SAS Vendors for FEDRAMP Certification
    Luckily, you may already be compliant if your SAS providers are FEDRAMP certified. In fact, this may be the opportunity you have been waiting for to make the push to SAS services like Office365 and Google G Suite, both of which have components that are FEDRAMP certified.

It is certainly possible to take matters in your own hands and achieve full NIST 800-171 compliance. Having an in-house cybersecurity staff will make things go easily and quickly.

However, if you lack the time and resources to take on this task, fuxebox's cybersecurity team has the expertise and experience you need to achieve compliance. We invite you to contact us for a professional assessment.

Strive for Greatness.