LBMC Information Security has been in the IT security and compliance business for over 20 years. During that time, we have amassed considerable experience with FISMA/NIST 800-53. Now we have extended that expertise to NIST 800-171 certification. All non-federal agencies that access Controlled Unclassified Information (CUI) and DoD Covered Defense Information require 800-171 certification.
Steps to Conduct a NIST Assessment
To ensure that our clients maintain a compliant state and strong control environment, LBMC performs our NIST assessments using the following steps:
- Kickoff Call – To discuss engagement logistics, verify controls to be tested, confirm onsite scheduling, review evidence request processes, and answer any pre-engagement questions
- Documentation Review
- Interviews with individuals responsible for the control implementations to gain an understanding of the current processing environment.
- Conduct a performance review audit of NIST specified controls and an onsite walk-around.
- Debrief and issuance of the final audit report
Does my business need NIST compliance?
If you are like the thousands of other government contractors struggling to understand compliance and how many resources it will take to become compliant, know that you are not alone! Don’t worry, odds are you are already in compliance to a large degree.
Cybersecurity breaches are a common threat that seems almost normal in this day and age. However, our government, along with the security expertise of NIST, continue to seek more secure and efficient ways to safeguard our data. When determining the level of information security your organization should implement, the risks of your data being compromised should be the driving factor. Less-obvious, lower risk organizations are targets for the theft of confidential government information, and the federal government now is taking additional steps to safeguard their security.
A primary target for hackers are non-federal organizations that have access to federal data including citizen’s higher education, tax, and healthcare records. This type of information is of high value to malicious users looking to either directly exfiltrate this information or establish a foothold as a jumping off point to larger federal agency targets. Additional organizations of interest are higher learning institutions that leverage government data for research, development, and/or government grants. Although data in transit must be protected per federal encryption requirements, the larger question that comes to mind is – What controls should be in place to also protect the data once it reaches the intended recipient? That is where NIST 800-171 becomes relevant. This standard was implemented to help fill the gaps of protecting Controlled Unclassified Information (CUI) on non-federal information systems.
CUI is defined as “information that law, regulation, or government-wide policy requires safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended (Executive Order 13556)”. So what does this long and complex government definition really mean?
If you are a government support contractor, for example, that has access to federal information systems or government data that isn’t labeled as classified, or a university using Medicare data for statistical research, you may have access to CUI as part of your contract and therefore obligated to protect it. Any contractor that supports federal information systems and has access to CUI is potentially impacted by NIST SP 800-171, and CUI isn’t necessarily limited to raw data records. It also applies to data that is collected, stored, and documented in support of federal information system. This includes project management, technical writing, system development, and consulting.
The Differences between NIST 800-171 and NIST 800-53
At a high level, the NIST SP 800-53 security standard is intended for internal use by the Federal Government and contains controls that often do not apply to a contractor’s internal information system. NIST SP 800-53 provides federal organizations with the top-level requirements and is more specific to providing security and privacy controls for federal information systems and organizations.
On the other hand, NIST SP 800-171 applies to internal contractor information systems and provides a standardized set of requirements for all CUI security needs to allow non-federal organizations to follow statutory and regulatory requirements by consistently implementing CUI safeguards. Additionally, many of the NIST SP 800-171 controls are about general best security practices for policy, process, and configuring IT securely, and this means in many regards, NIST SP 800-171 is viewed as less complicated and easier to understand than its NIST SP 800-53 counterpart.
NIST SP 800-171 is unique in that it is tailored to eliminate FIPS 200 and NIST SP 800-53 requirements that are:
- specific to government-owned systems
- not related to CUI, or
- expected to be satisfied without specifications (i.e., policy and procedure controls).
NIST SP 800-171 includes just over a hundred controls broken across 14 control families and is more concise in nature, making it less complex to implement for non-federal organizations.
One of the unique characteristics of the NIST SP 800-171 is the flexibility non-federal organizations have in defining how requirements are implemented. The requirements do not mandate any particular technological solutions, and allow contractors, if they choose, to protect information using the systems they already have in place, rather than trying to use government-specific approaches. This is great news for organizations that already have existing mature systems and will likely mean that they will not have to “rip and replace” their existing security program.
Security requirements in NIST SP 800-171 are designed to protect CUI residing in contractor information systems while generally reducing the burden placed on contractors to maintain federal-centric processes and requirements. Compliance with NIST SP 800-171 should be viewed as an opportunity to be good stewards of government data as well as an opportunity for these organizations to compete for federal opportunities that others may not qualify for.
All NIST Reports are not Created Equal
Our team members have extensive experience on your side of the desk in a variety of industries with security and compliance mandates. This client-side experience means that we understand how data moves between a user entity’s network and its service organizations. We help you achieve compliance while providing the insights your leaders and stakeholders need to make better business decisions.
Whether you are just getting started with NIST certification, or have been navigating regulations for years from another provider, LBMC Information Security can help you maintain NIST compliance in a complex landscape.