Update on NIST 800-171 Security Requirements

As of Nov 2021, CMMC 2.0 was introduced and the information below may not apply in its entirety.

Two Major Compliance Actions Are Due This Year

Since the birth of our nation in the late 1700s, the United States government has mandated various protections for classified information. The safeguarding of unclassified but sensitive information is a more recent occurrence.

This year the security requirements governing the protection of Controlled Unclassified Information (CUI) are center stage, with two major compliance actions required by December 31, 2021, in order for federal agencies to complete full implementation of the CUI Program. Implementation of these security requirements also applies to private sector organizations who wish to continue doing business with federal agencies.

A Brief History of the Regs

In 2004, in the wake of the unprecedented events of September 11, 2001, the 9/11 Commission spotlighted the need for intelligence information—particularly classified information—to be shared cooperatively and transparently across government agencies. The goal was to improve national security through inter-agency communication in order to thwart future events.

In 2009, the scope of the Commission’s recommendations was expanded to include sensitive unclassified information, which makes a world of sense when you think about it. This was defined as all Controlled Unclassified Information (CUI) within the domain of the executive branch of the federal government.

The following year, in 2010, Executive Order 13556 established a comprehensive Controlled Unclassified Information (CUI) Program in support of the 9/11 Commission’s recommendations, with the goal of standardizing the patchwork quilt of agencies’ policies, procedures, and markings that had evolved over time to safeguard sensitive unclassified information. The Information Security Oversight Office (ISOO) was assigned to implement the order and monitor agency actions to ensure compliance. The order also specified that its provisions are to be “implemented in a manner consistent with applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology (NIST).”

In 2011, the ISOO published the CUI Registry, a central repository of all the laws, regulations, and government-wide policies related to federal agency protection of Controlled Unclassified Information in the executive branch.

In 2016, the ISOO issued 32 CFR Part 2002 to establish detailed policies to guide federal agencies in identifying, safeguarding, disseminating, and disposing of information included in the Controlled Unclassified Information Program.

In 2017, the National Institute for Standards and Technology issued NIST Special Publication 800-171, the definitive resource for organizations who do business with federal agencies in protecting Controlled Unclassified Information under their management.

In February 2020, NIST released Revision 2 of Special Publication 800-171, updating its guidance to reflect the ongoing work of the ISOO in refining the CUI Program. (An errata update in January 2021 corrected various minor errors in Rev. 2 without affecting its substance.)

Most recently, in May 2020, the ISOO published updated CUI Program Implementation Deadlines. These final deadlines are based on federal agencies’ progress and projections as reported to the ISOO, and replace the initial deadlines for meeting CUI security requirements.

CUI Program Implementation Deadlines

The ISOO is charged with overseeing the implementation of the CUI Program security requirements, monitoring agency compliance, and reporting to the National Archives and Records Administration. It has issued the following deadlines for agencies within the federal government executive branch.

By June 30, 2020

• Agencies must have made all employees aware of the CUI Program.

By December 31, 2020

• Agencies must have issued policies that implement the CUIO Program.
• Agencies using marking tools to identify Classified National Security Information must have prepared to accommodate CUI markings.

By December 31, 2021

• Agencies must roll out training to all affected employees.
• Agencies must implement or verify that all required physical safeguards are in place.
• Agencies must update all federal information systems to adhere to 32 CFR 2002, specifically the requirements listed in 2002.14.

Intersection with NIST 800-171

The NIST 800-171 standardization enforces federal contractors and other non-federal entities doing business with federal agencies to comply by December 31, 2017. The general consensus at that time was that only a very small percentage of contractors had implemented the requirements, and that much work remained to be done.

As a non-regulatory body, NIST does not enforce compliance or security protections, nor does it need to do so. That’s because any federal agency responsible for handling Controlled Unclassified Information is required to ensure that information is properly safeguarded by all organizations who handle, possess, use, share, or receive CUI on behalf of the agency.

Contractors who fail to comply with NIST 800-171 requirements will not be authorized to work with federal agencies, and contracts will be awarded only to those who can demonstrate compliance.

This is where NIST 800-171, Executive Order 13556, and 32 CFR Part 2002 intersect to create a complete and unified CUI Program across the federal government executive branch and its myriad supply chains.

NIST 800-171 Target Audience

The target audience for NIST Special Publication 800-171 is described as individuals and organizations “in both the public and private sectors.”

• The public sector audience consists of the “federal agencies who establish and convey the NIST security requirements in contractual vehicles or other types of inter-organizational agreements.”
• The private sector audience constitutes those “entities who respond to and comply with the NIST security requirements set forth in those contracts or agreements.”

In both sectors, the audience includes (but is not limited to) components of the organization that has responsibilities for system development life cycle; acquisition or procurement; system, security, or risk management and oversight; and security assessment and monitoring.

NIST 800-171 Security Requirements

The NIST publication also clearly lays out the requirements for compliance, describing “fourteen families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations.” These are presented in Chapter Three of the publication.

The 14 families of security requirements are listed below. Because these requirements constitute sound information security principles and best practices for any organization’s information security program, they will resonate with any information technology or information security professional, at any level, in either the public or private sector.

• • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

It is noteworthy that security awareness and training for employees is considered crucial enough to merit inclusion in the security requirements.

To understand the structure of each family of the CUI requirements, the Media Protection family on page 29 offers a good example and is presented below. It is also representative of the level of detail provided in each of the requirements.

1. Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
2. Limit access to CUI on system media to authorized users.
3. Sanitize or destroy system media containing CUI before disposal or release for reuse.
4. Mark media with necessary CUI markings and distribution limitations.
5. Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
6. Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport, unless otherwise protected by alternative physical safeguards.
7. Control the use of removable media on system components.
8. Prohibit the use of portable storage devices when such devices have no identifiable owner.
9. Protect the confidentiality of backup CUI at storage locations.

NIST 800-171 Requirements for Security Risk Assessments

For any organization seeking to comply with any set of regulations, conducting a security risk assessment is widely considered the necessary first step in understanding the security posture of the organization at a given point in time.

Following are the requirements established by NIST 800-171 for risk assessments and security assessments. These can be found in Chapter Three, pages 33 to 35, of the current publication (NIST SP 800-171 rev2). While they are presented as two separate assessment requirements, operationally they can be addressed in one security risk assessment.

• Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
• Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
• Remediate vulnerabilities in accordance with risk assessments.
• Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
• Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
• Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
• Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Security risk assessments are not only a best practice for information security but are also required for compliance with NIST 800-171. And while the NIST publication does not specify a frequency for security risk assessments, general practice among Information Technology professionals is annual or bi-annual assessment.

NIST 800-171 and CMMC

One of the most extensive federal supply chains belongs to the Department of Defense, with a network of more than 220,000 contractors and subcontractors, according to the Federal Procurement Data System. Members of this supply chain share two commonalities due to their work with the DoD:

• They are highly attractive targets for hackers, malicious nation-states, and advanced threats.
• They may handle Controlled Unclassified Information and as such are bound by NIST 800-171 requirements.

Recognizing the need to harden its supply chain, in January 2020, DoD introduced its new Cybersecurity Maturity Model Certification (CMMC), developed to better protect sensitive data, including CUI, housed in its contractors’ systems.

The rigorous requirements of this new model support and are, in large part, based on NIST SP 800-171. In essence, the DoD has established and will enforce NIST 800-171 throughout its supply chain by requiring compliance with the CMMC.

All contractors who seek to be awarded DoD work will be required to have achieved the appropriate level of CMMC certification by October 1, 2025. Most are motivated to comply as quickly as possible in order to continue to compete for lucrative DoD contracts and RFPs.

Immediate Assistance for Contractors

Assistance is available to contractors in the DoD supply chain in two distinct but related services.

24By7Security offers a unique, award-winning CMMC Readiness Service designed to thoroughly prepare contractors for compliance and assessment. Assessment is mandatory to ensure that contractors meet all CMMC security requirements before they can be awarded certification by the CMMC Accreditation Body.

In addition, 24By7Security is among the first Registered Provider Organizations who are authorized by the CMMC Accreditation Body to assist contractors in preparing for CMMC compliance.

Summary

Executive Order 13556, issued in 2010, established the Controlled Unclassified Information Program across the executive branch of the federal government. 32 CFR Part 2002 outlines the requirements for protecting CUI at the federal level, while NIST 800-171 details the requirements for safeguarding CUI in both the federal and non-federal (i.e., public and private) sectors. Together they create a unified CUI Program across the federal government executive branch and its supply chains.

This year, federal agencies are required to complete the final implementation activities by December 31, 2021. Any federal agency responsible for handling Controlled Unclassified Information is required to ensure that CUI is also properly safeguarded by all organizations who “handle, possess, use, share, or receive CUI on behalf of the agency.” Contractors who fail to comply with NIST 800-171 requirements will not be authorized to work with federal agencies, as contracts will be awarded only to those who can demonstrate compliance.

Did You Know?

The National Institute of Standards and Technology provides substantial guidance to all types of organizations in cybersecurity and security risk management, and offers a formal cybersecurity framework to assist Information Security and Information Technology professionals in developing security programs and managing cybersecurity risk across their organizations. Implementing the NIST cybersecurity framework is a perfect place to begin an information security program or upgrade an established program!