If you are a defense contractor handling Controlled Unclassified Information (CUI), then you are required to comply with the DoD’s National Institute of Standards (NIST) 800-171 standard. NIST 800-171 is the industry standard for cybersecurity that ensures this information’s protection and confidentiality. Contractors have had to meet the 110 NIST 800-171 requirements since 2017. And while NIST 800-171 enforcement has been light in the past, this enforcement will ratchet up now that assessments are becoming a reality under CMMC 2.0.
 

 
If you are getting started with NIST 800-171 then this blog will explain what you need to know about the standard and best practices for achieving compliance.

• What is NIST 800-171
• Why you need to comply with NIST 800-171
• How does NIST 800-171 differ from CMMC 2.0
• What are the NIST 800-171 controls
• How to achieve NIST 800-171 compliance
• PreVeil & NIST 800-171

What is NIST 800-171

DFARS 252.204-7012 calls on defense contractors to provide “adequate security” for covered defense information (CUI) that is “processed, stored, or transmitted on the contractor’s internal information system or network”. To provide this level of security, contractors must implement NIST 800-171 and develop a system security plan (SSP) and associated plans of action.
 
NIST 800-171 originated in 2010 as an Executive Order (EO) signed by President Obama. The EO created the CUI category and subcategory, making them exclusive designations for identifying unclassified information that requires safeguarding or dissemination controls.
 
In 2015, the National Institute of Standards (NIST) published its 800-171 standard. NIST has updated the standard several times since then to respond to evolving cyberthreats.
 
In 2017, the Department of Defense (DoD) enacted NIST 800-171 into law through the DFARS clause.
 
Today, NIST 800-171 is the standard for all defense contractors in the Defense Industrial Base (DIB) handling CUI. Defense contractors must meet the requirements set forth by NIST 800-171 to demonstrate their provision of adequate security or risk being ineligible to work on defense contracts.

Why you need to comply with NIST 800-171

Any organization that handles CUI must achieve NIST 800-171 compliance. Defense organizations risk running afoul of their DoD obligations if they do not comply with the controls. Moreover, as CMMC 2.0 rolls out, compliance will be enforced through assessments from C3PAOs (CMMC Third Party Assessor Organization) and the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).
 
Defense organizations also risk investigation by the Department of Justice if they experience a breach that compromises CUI and it was later found that they misrepresented their security status. The Department of Justice [DoJ] will potentially use the False Claims Act when it finds these sorts of major discrepancies. NIST’s goal is to protect data that’s so vital to our national security, and DoJ is willing to help out on that with the False Claims Act.
 
But compliance is not just a checkmark on a list. With NIST 800-171, organizations also develop a strong cybersecurity program. By complying with the 110 NIST controls and the associated 14 domains, organizations will be able to:

• Develop security training and awareness programs
• Develop better data security
• Enable documentation and measurement for their cyber programs
• Ensure that their cybersecurity progress continues into the future

How does NIST 800-171 differ from CMMC 2.0?

For DIB companies seeking CMMC 2.0 compliance, satisfying NIST 800-171 is a smart place to start. There are, however, key differences between NIST 800-171 and CMMC 2.0.
 
First, CMMC 2.0 is broken down into three levels. There’s level 1 (basic), level 2 (advanced), and level 3 (expert). Most companies will need to achieve level 1 or 2. NIST 800-171 does not have levels.
 
Second, NIST 800-171 was largely left to to self-assessment. In CMMC 2.0 however self-assessment will be possible for level 1. For levels 2and 3, all organizations will need to be assessed by a DIBCAC assessor.

NIST 800-171 Controls

There are 14 control families in NIST 800-171, as outlined in the table below.
 

 
In their system security plan (SSP), defense organizations will describe how they meet each of the 110 controls across the 14 security domains and address known and anticipated threats.
 
Here is an overview of the 14 families.
 
Access Control
 
Ensuring only those personnel, accounts, and system processes that require access to CUI have such access.
 
Awareness and Training
 
Provide appropriate training and skills to those charged with the protection of CUI.
 
Audit and Accountability
 
The contractor must know what CUI information is maintained, where it is stored and processed, and by whom, when and where it is handled.
 
Configuration Management
 
Each component and process of an IT system has a configuration that dictates how it operates. By standardizing and managing configurations, systems and software should perform in definable and measurable ways.
 
Identification and Authentication
 
Employ measures that ensure authorized access is achieved only by those whose identities are confirmed and approved.
 
Incident Response
 
A defined response plan that indicates how the business will respond to a breach and ensure the business can resume operations.
 
Maintenance
 
The plan the team has created to keep IT systems up-to-date and ensure vulnerabilities are addressed, holes patched, and subsystems keep functioning.
 
Media Protection
 
Create policies for how physical media is handled, stored and transported.
 
Personnel Security
 
Plan to ensure employees, contractors and vendors are properly vetted, authorized and approved.
 
Physical Protection
 
Systems that contain CUI may be prone to theft or damage. Protections for portable workstations, laptops, mobile devices, servers and data storage areas to ensure the protection of CUI.
 
Risk Assessment
 
Periodic evaluations of the risks posed to personnel, systems and information and review control measures for adequacy.
 
Security Assessment
 
Periodically test and review security control measures, both logical and physical to verify they meet objectives; refine and update as needed.
 
System and Communications Protection
 
Further measures to protect CUI data from unauthorized exposure; encryption is an important consideration.
 
System and Information Integrity
 
Making sure systems and the data and information they process is trustworthy and has not been maliciously or accidentally altered.

How to achieve NIST 800-171 compliance

Historically defense contractors have approached cyber security requirements as a checklist. NIST 800-171 and CMMC 2.0 turn that on its head. Modern cyber security in the DIB isn’t about checklists, it’s about developing a mindset that focuses on protecting data.
 
To achieve NIST 800-171 compliance, you should first determine where CUI lives in your environment. Ideally, you’ll want to condense that environment into a confined area known as an enclave. By creating an enclave, you will decrease the physical area that needs to be assessed and also decrease the complexity of the compliance exercise overall.
 
Second, you should deploy a solution to protect your CUI. The PreVeil platform, for example, is ideal for SMBs who need only protect CUI in a portion of their organization. PreVeil supports 84 out of 110 NIST 800-171 controls. It is easy to deploy and use. It is also very affordable and can be downloaded for free by your third parties.
 
Third, you should conduct a self-assessment of your organization against the 110 NIST 800-171 controls. You should detail how you are meeting each of the controls through a mix of technologies and policies and be able to provide an example of how each control is met. Alternatively, PreVeil can also provide a pre-populated SSP template that can be the basis for your own document and allow you to identify gaps and areas for improvement in your environment.
 
Lastly, you should hire a third-party MSP, MSSP or RP (Registered Practitioner) to help you meet the remaining controls which you are unable to meet on your own. PreVeil, for example, does not support 26 out of the 110 controls and so recommends that contractors hire a consultant to help create and manage a plan to close the delta.
 
Don’t procrastinate. Implementing a consultant’s compliance recommendations and documentation will likely take at least 6 months or more.

PreVeil and NIST 800-171

The key to achieving NIST 800-171 compliance is a multi-pronged approach encompassing both technology and policy. Implement modern technology solutions in conjunction with appropriate policies and procedures to ensure the security of CUI.
 
Protecting the data is paramount. PreVeil’s file sharing and email platform supports compliance with virtually all of the NIST 800-171 mandates related to the communication and storage of CUI.

PreVeil Drive

PreVeil Drive lets users encrypt, store, and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with suppliers and partners.

PreVeil Email

PreVeil Email is an encrypted email service that addresses NIST 800-171 requirements. It adds an encrypted mailbox to Outlook and Gmail. This allows users to send and receive emails under their existing email addresses, while protecting that data with military-grade encryption.
 
These requirements include several contract requirements beyond NIST 800-171’s security controls, which PreVeil also addresses. PreVeil’s key compliance attributes include:

• Meets FedRAMP Baseline Moderate Equivalent as a cloud service
• Stores encrypted data on FedRAMP High AWS GovCloud
• Meets DFARS 252.204-7012 (c)-(g), which stipulates requirements for cyber incident reporting and media preservation
• Uses FIPS 140-2 validated cryptographic module

Conclusion

Compliance with NIST 800-171 now will smooth your company’s path to the new Level 2 when CMMC 2.0 becomes law. PreVeil can facilitate your compliance with NIST 800-171 now and CMMC 2.0 when it passes.
 
To learn more about how PreVeil’s Drive and Email platforms can help your organization improve its cybersecurity and move towards NIST 800-171 compliance, please contact us at preveil.com/contact or (857) 353-6480.