If you are a defense contractor handling Controlled Unclassified Information (CUI), then you are required to comply with the DoD’s National Institute of Standards (NIST) 800-171 standard. NIST 800-171 is the industry standard for cybersecurity that ensures this information’s protection and confidentiality. Contractors have had to meet the 110 NIST 800-171 requirements since 2017. And while NIST 800-171 enforcement has been light in the past, this enforcement will ratchet up now that assessments are becoming a reality under CMMC 2.0.
If you are getting started with NIST 800-171 then this blog will explain what you need to know about the standard and best practices for achieving compliance.
DFARS 252.204-7012 calls on defense contractors to provide “adequate security” for covered defense information (CUI) that is “processed, stored, or transmitted on the contractor’s internal information system or network”. To provide this level of security, contractors must implement NIST 800-171 and develop a system security plan (SSP) and associated plans of action.
NIST 800-171 originated in 2010 as an Executive Order (EO) signed by President Obama. The EO created the CUI category and subcategory, making them exclusive designations for identifying unclassified information that requires safeguarding or dissemination controls.
In 2015, the National Institute of Standards (NIST) published its 800-171 standard. NIST has updated the standard several times since then to respond to evolving cyberthreats.
In 2017, the Department of Defense (DoD) enacted NIST 800-171 into law through the DFARS clause.
Today, NIST 800-171 is the standard for all defense contractors in the Defense Industrial Base (DIB) handling CUI. Defense contractors must meet the requirements set forth by NIST 800-171 to demonstrate their provision of adequate security or risk being ineligible to work on defense contracts.
Any organization that handles CUI must achieve NIST 800-171 compliance. Defense organizations risk running afoul of their DoD obligations if they do not comply with the controls. Moreover, as CMMC 2.0 rolls out, compliance will be enforced through assessments from C3PAOs (CMMC Third Party Assessor Organization) and the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).
Defense organizations also risk investigation by the Department of Justice if they experience a breach that compromises CUI and it was later found that they misrepresented their security status. The Department of Justice [DoJ] will potentially use the False Claims Act when it finds these sorts of major discrepancies. NIST’s goal is to protect data that’s so vital to our national security, and DoJ is willing to help out on that with the False Claims Act.
But compliance is not just a checkmark on a list. With NIST 800-171, organizations also develop a strong cybersecurity program. By complying with the 110 NIST controls and the associated 14 domains, organizations will be able to:
For DIB companies seeking CMMC 2.0 compliance, satisfying NIST 800-171 is a smart place to start. There are, however, key differences between NIST 800-171 and CMMC 2.0.
First, CMMC 2.0 is broken down into three levels. There’s level 1 (basic), level 2 (advanced), and level 3 (expert). Most companies will need to achieve level 1 or 2. NIST 800-171 does not have levels.
Second, NIST 800-171 was largely left to to self-assessment. In CMMC 2.0 however self-assessment will be possible for level 1. For levels 2and 3, all organizations will need to be assessed by a DIBCAC assessor.
There are 14 control families in NIST 800-171, as outlined in the table below.
Historically defense contractors have approached cyber security requirements as a checklist. NIST 800-171 and CMMC 2.0 turn that on its head. Modern cyber security in the DIB isn’t about checklists, it’s about developing a mindset that focuses on protecting data.
To achieve NIST 800-171 compliance, you should first determine where CUI lives in your environment. Ideally, you’ll want to condense that environment into a confined area known as an enclave. By creating an enclave, you will decrease the physical area that needs to be assessed and also decrease the complexity of the compliance exercise overall.
Second, you should deploy a solution to protect your CUI. The PreVeil platform, for example, is ideal for SMBs who need only protect CUI in a portion of their organization. PreVeil supports 84 out of 110 NIST 800-171 controls. It is easy to deploy and use. It is also very affordable and can be downloaded for free by your third parties.
Third, you should conduct a self-assessment of your organization against the 110 NIST 800-171 controls. You should detail how you are meeting each of the controls through a mix of technologies and policies and be able to provide an example of how each control is met. Alternatively, PreVeil can also provide a pre-populated SSP template that can be the basis for your own document and allow you to identify gaps and areas for improvement in your environment.
Lastly, you should hire a third-party MSP, MSSP or RP (Registered Practitioner) to help you meet the remaining controls which you are unable to meet on your own. PreVeil, for example, does not support 26 out of the 110 controls and so recommends that contractors hire a consultant to help create and manage a plan to close the delta.
Don’t procrastinate. Implementing a consultant’s compliance recommendations and documentation will likely take at least 6 months or more.
The key to achieving NIST 800-171 compliance is a multi-pronged approach encompassing both technology and policy. Implement modern technology solutions in conjunction with appropriate policies and procedures to ensure the security of CUI.
Protecting the data is paramount. PreVeil’s file sharing and email platform supports compliance with virtually all of the NIST 800-171 mandates related to the communication and storage of CUI.
PreVeil Drive lets users encrypt, store, and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with suppliers and partners.
PreVeil Email is an encrypted email service that addresses NIST 800-171 requirements. It adds an encrypted mailbox to Outlook and Gmail. This allows users to send and receive emails under their existing email addresses, while protecting that data with military-grade encryption.
These requirements include several contract requirements beyond NIST 800-171’s security controls, which PreVeil also addresses. PreVeil’s key compliance attributes include:
Compliance with NIST 800-171 now will smooth your company’s path to the new Level 2 when CMMC 2.0 becomes law. PreVeil can facilitate your compliance with NIST 800-171 now and CMMC 2.0 when it passes.
To learn more about how PreVeil’s Drive and Email platforms can help your organization improve its cybersecurity and move towards NIST 800-171 compliance, please contact us at preveil.com/contact or (857) 353-6480.