Why You Need an MSP That Knows NIST 800-171 Compliance

Posted by Karen Kiewski on Mar 10, 2021 10:00:00 AM

In CYBERSECURITY, NIST

Modern businesses have to meet a lot of different regulatory compliance standards—and the specific standards they need to meet may vary depending on their industry and target audience. One compliance standard that many companies working with government agencies or act as subcontractors to companies working with the government is NIST 800-171.

What is NIST 800-171? What does compliance with these standards require from your business? Why should your company worry about NIST 800-171 compliance? How can your managed services provider (MSP) help with compliance requirements?

What Is NIST 800-171 Compliance?                                       

NIST 800-171 Rev 2 is a standard for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” published by the National Institute of Standards and Technology (NIST).

This special publication from NIST (which is part of the U.S. Department of Commerce) outlines “recommended security requirements for protecting the confidentiality of CUI” (CUI meaning controlled unclassified information) when it is stored in or processed by a nonfederal system.

Compliance with NIST 800-171 means that the organization is meeting specific minimum thresholds for protecting the confidentiality of data needed to continue processing and storing unclassified data on behalf of a government entity.

Because the primary goal of NIST 800-171 is data confidentiality and not data availability or integrity, the protections it mandates are somewhat different from others like the EU’s General Data Protection Regulation (GDPR) or the USA’s Health Insurance Portability and Accountability Act (HIPAA)—both of which do emphasize ensuring the availability of specific data.

It’s important to note that NIST SP 800-171 Revision 2 does have requirements for system and information integrity. However, they focus more on protection from malicious code.

Security Requirements in NIST 800-171

NIST 800-171 compliance requirements for protecting CUI are divided into fourteen different “families” in the rev 2 version of the special publication. Each of these fourteen families of security requirements are further divided into “Basic” and “Derived” requirements. The fourteen families of security requirements are:

  1. Access Control. Requirements that limit access to systems or data to authorized users and impose limits on the types of transactions users can make to protect CUI from unauthorized access.
  2. Awareness and Training. Requirements to ensure that authorized users know the security risks they face and the acceptable use policies of the organization.
  3. Audit and Accountability. Rules regarding keeping systems in place to ensure that data access can be monitored, investigated, and reported on to trace unauthorized access attempts to specific users.
  4. Configuration Management. Establish processes for creating and maintaining organizational system configurations throughout the lifecycles of different hardware, software, and firmware solutions—complete with documentation of these configurations.
  5. Identification and Authentication. Requirements for ensuring that system users, processes, and devices can be reliably identified and authenticated to prevent unauthorized access of sensitive systems and data.
  6. Incident Response. NIST 800-171 requires that organizations have the ability to detect, analyze, contain, and recover from security incidents. This includes documented processes and conducting periodic tests of the incident response plan (IRP).
  7. Maintenance. Processes for maintaining systems to prevent illicit access of CUI. This includes wiping the data from decommissioned equipment or equipment being moved “off-site” for maintenance.
  8. Media Protection. A set of guidelines for controlling access to the physical media (servers, hard drives, disks, etc.) that may contain CUI to authorized users and controlling the use of removable media (USB drives, CDs/DVDs, etc.) on systems.
  9. Personnel Security. Requirements for ensuring that personnel interacting with CUI are properly screened for their “conduct, judgment, loyalty, reliability, and stability” prior to being given access to CUI. This also means ensuring that systems containing CUI are protected during and after personnel are terminated or transferred (such as by revoking access privileges or terminating user accounts).
  10. Physical Protection. Rules to limit physical access to the organization’s systems and equipment, ensure adequate monitoring of facilities, and document physical access events.
  11. Risk Assessment. A set of requirements where organizations are obligated to assess the risks their operations face, perform vulnerability scans, and take steps to remediate their biggest vulnerabilities.
  12. Security Assessment. Organizations are required to assess their security controls to verify their efficacy and address and deficiencies—and do this on an ongoing basis to protect against ever-evolving threats.
  13. System and Communications Protection. Requirements to ensure that communications and data are protected while in transit. Additionally, systems need to be protected at both the perimeter (i.e., where the organization’s network connect with the internet) and at key internal boundaries (e.g. specific servers and databases need firewalls that keep them isolated from other assets on the system) to create a “defense in depth” strategy that minimizes data breach risks.
  14. System and Information Integrity. A set of requirements for businesses to identify, report, and correct system flaws in a timely manner, utilize up-to-date protective measure to defend against malware, and watch for system security alerts and security advisories that warn them about emerging cyber threats.

What NIST 800-171 Regulations Mean for Your Business

So, what does NIST 800-171 mean for your business? Following the regulations can open a lot of doors for companies that want to work with government agencies or with other companies that do so. Being compliant allows companies to work with new potential partners and open up new revenue opportunities.

Additionally, meeting these data confidentiality guidelines can help businesses improve their own data security. This helps to reduce the risk of a data breach—an event that can cost American businesses an average of $8.64 million according to data from an IBM/Ponemon study.

For companies already pursuing government contracts, NIST 800-171 is a vital standard that needs to be maintained. Failing to meet these standards puts businesses at risk of losing lucrative contracts and partnerships.

While meeting NIST regulations may add some expenses to IT operations, the long-term benefits can easily outweigh the costs.

4 Reasons Your Business Needs an MSP That Knows NIST 800-171 Compliance

So, where does a managed service provider factor into the compliance equation? Why do you need an MSP that knows NIST 800-171 compliance instead of simply relying on internal resources to get the job done?

Here are a few reasons why you should partner with an MSP who has experience in dealing with NIST 800-171 compliance requirements:

  • To Identify Critical Security Controls and Gaps. Which security controls does your business have in place that meet NIST requirements? What gaps are there in your security controls that need to be addressed to meet compliance standards? An experienced MSP can help you assess your current controls and identify gaps that need to be filled. Better yet, they can identify which controls most efficiently and effectively address those gaps.
  • To Minimize the Financial Impacts of Compliance. There can be some significant overlap in different parts of the 800-171 compliance standard. For example, Access Control has some overlap with Identification and Authentication, since effective access control requires the ability to identify who is trying to access data and authenticate that attempt. An experienced NIST compliance partner can help you identify the tools and solutions that meet multiple parts of NIST 800-171’s requirements so you can avoid redundant compliance spending. This helps to save money on compliance (while simplifying the deployment of compliance solutions).
  • To Reduce Compliance Risks. Compliance can be a complicated topic, requiring a lot of new documentation, processes, and tools. Additionally, compliance standards can change over time—the fact that the special publication for the standard, as of March 2021, is called NIST 800-171 rev 2 (meaning it’s the second revision to the standard) is proof of that. Unfortunately, this complexity and the periodic changes can create compliance risks since it’s easy to miss a critical control or for a solution to become obsolete. An experienced MSP can help keep you informed of important updates or changes so that you can adjust your security controls to stay up-to-date with the latest compliance standard.
  • To Save Time on Compliance Management. Keeping an eye out for regulatory changes, keeping security solutions up-to-date, and managing all of the security tools and documentation needed for compliance is an enormous time sink. Having a dedicated MSP partner who can tackle your NIST compliance requirements with you can help you save a lot of time and effort on your compliance management workflows.

Basically, working with a managed service provider for NIST compliance helps you save time and money while making it easier to meet your company’s compliance requirements.

How Your Business Can Prepare for NIST 800-171 Today

So, what should you do if you need your business to be NIST 800-171 compliant right away? Here are a few things you can do to get ready:

  • Download the latest version of the NIST document from the Computer Security Resource Center (CSRC).
  • Start auditing your company’s IT assets and create a list of the security tools and procedures used to secure them. This is important for assessing any gaps between your existing protections and the requirements of NIST 800-171.
  • Create a “Plan of Action” for addressing any shortcomings. The CSRC has a template for this that may prove useful.
  • Check for updates to any existing security solutions and software.
  • Conduct a cybersecurity risk assessment to identify the biggest risks your organization faces and the best solutions for addressing those risks.
  • Check your vendors to verify that their own internal processes and security solutions are NIST-compliant.
  • Clean up your authorized user lists on your system to remove former employees, unauthorized contractors/vendors, and redundant accounts.
  • Conduct a test of employee’s knowledge on basic security topics and provide training to address deficiencies.
  • Work with a managed service provider who can identify any critical compliance issues that you may have accidentally missed.
  • Check for other regulatory compliance standards that you may have to meet.

NIST 800-171 Checklist

Here’s a quick list of basic things to check when preparing for NIST 800-171 compliance:

Compliance Standard

Is Our Company Doing This?

Yes, No, or Unsure (Y, N, or U)

Limiting System Access to Authorized Users, Processes, and Devices

 

Restricting Access to the Types of Transactions Specific Users Are Authorized For

 

Ensuring That ALL Users Are Aware of Security Risks and Applicable Policies

 

Providing Training to Users so They Can Carry Out Their Assigned Info Security Duties

 

Creating and Retaining System Logs Sufficient to Enable Monitoring, Analysis, Investigation, and Reporting of Unauthorized Activity

 

Maintaining Logs to Track User Activity Back to Specific Users

 

Documenting “Baseline Configurations” to Use as a Basis for Future Builds or Changes to Systems

 

Establishing and Enforcing Security Configuration Settings for IT Assets

 

Identifying All System Users, Processes, and Devices

 

Authenticating/Verifying User, Process, and Device Identities before Granting Access

 

Creating and Implementing an Incident Response Plan

 

Documenting Security Incidents & Reporting Them

 

Performing Frequent System Maintenance

 

Preventing Physical Access to IT Assets and Paper Documentation with CUI

 

Sanitizing/Destroying IT Assets with CUI before Disposal/Reuse/Resale

 

Marking Anything with CUI with Appropriate NARA Marks

 

Screening New Employees with a Documented Vetting Process

 

Protecting/Monitoring Company Facilities to Prevent Unauthorized Access

 

Conducting Risk Assessments and Vulnerability Scans

 

Testing Security Controls to Determine Their Effectiveness

 

Using Firewalls to Protect Both Internal and External Boundaries

 

Identifying, Reporting, and Correcting System and Security Flaws

 

Using Basic Antimalware Solutions to Protect Against “Malicious Code”

 

Installing Detection Solutions to Identify Potential Security Breaches

 

Download the CMMC Readiness Roadmap

Subscribe Here!