Traditionally, when people think of National Institute of Standards and Technology (NIST) publications, they think of documents that apply strictly to federal government entities or contractors supporting the federal government. However, NIST also releases publications designed for organizations in the private sector as well.
IT-Related NIST Publications
Under the NIST umbrella is the Information Technology Laboratory (ITL) whose purpose is to “promote the US economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure.” ITL is responsible for developing tests, test methods, reference data, proof of concept implementations, and technical analyses to support the development and use of information technology. Basically, that means that NIST (and more specifically ITL) is responsible for developing baseline requirements for federal information systems. As part of that mission, ITL publishes the Special Publication (SP) 800-series of documents designed to report on ITL’s research and guidance in the IT realm. This series provides information to both federal and private sector entities on everything from data encryption methodologies to media sanitation guidelines and beyond.
Special Publication 800-171
The publication in the 800 series I wanted to talk about here is the NIST SP 800-171 Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. This document was originally written and published as a response to an executive order signed in 2010 directing federal agencies to find more effective ways to protect the confidentiality of CUI. More specifically, this document includes a roadmap for organizations outside of the federal government that transmit, process, or store CUI in some capacity to comply with federal guidelines on information confidentiality.
The document is broken down like all NIST special publications into front information (abstract of document purpose), chapters including the meat of the subject matter, and several supplemental appendices. It can be hard to wade through all of that, but the gist of what you need to look at if you’re an organization attempting to implement the requirements is in Chapter 3. This chapter lays out the requirements in the following 14 families/subject areas:
|
Control Families |
|
|
Access Control |
Media Protection |
|
Awareness & Training |
Personnel Security |
|
Audit & Accountability |
Physical Protection |
|
Configuration Management |
Risk Assessment |
|
Identification & Authentication |
Security Assessment |
|
Incident Response |
System & Comm. Protection |
|
Maintenance |
System & Information Integrity |
The control families are derived from another NIST publication: FIPS 200 Minimum Security Requirements for Federal Information and Information Systems. The controls in that document targeted toward protecting information confidentiality are used as the basic control framework for 800-171. Since the FIPS 200 basic controls tend to be pretty vague, like most control frameworks, NIST fleshed out the high level basic controls with what they call “derivative controls” that are taken from NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. These controls are more specific and dialed in enough to be actionable; however, the controls are left open enough to be scalable to larger or smaller organizations. For example, a larger organization may have the capacity to do vulnerability scans monthly, while a smaller organization may only have the capacity to do them quarterly. Both timeframes are acceptable under the 800-171 requirements because both organizations are doing scans periodically based on individual capabilities.
The appendices of the document include a reference section, a glossary of common terms used throughout the document (sort of a decoder ring for those of us not used to dealing with esoteric government terminology), control mappings between CUI security requirements and other common assessment frameworks, and 800-53 tailoring criteria that provides a visual understanding of why certain 800-53 controls were not included as derivative controls in 800-171.
Who Does It Apply To
This document is applicable to government contractors and sub-contractors storing, transmitting, or processing federal government information determined to be of a sensitive nature (CUI).
What It is Not
This document is not intended to be used to address the integrity or availability of CUI, it is only intended to describe controls that will protect the confidentiality of that information.
Conclusion
The federal government has recognized that agencies are relying more on external service providers for specialized processing, storage, or transmission services related to CUI. NIST 800-171 was designed to provide those agencies with a sense of comfort that those service providers will be handling CUI in similar way to the agencies themselves. If you’re interested in learning more about how to start the NIST 800-171 compliance process, feel free to contact us. We would love to talk to you!
Additional Light Reading Resources
- CUI Registry: Provides official definitions/descriptions of terms related to CUI.
- CUI Training: Provides some training on what CUI is along with the original executive order and the differences between CUI information and FOIA information.
- NIST 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations: Document tailored to provide derivative controls for 800-171.
- FIPS 200 Minimum Security Requirements for Federal Information and Information Systems: Document used to create basic controls for 800-171.
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.
