NIST 800-171 Compliance Services

With the prevalence of cyberattacks and data breaches that we see constantly in technology, it only makes sense to have a set of security and encryption standards to protect sensitive data. NIST, which stands for the National Institute of Standards and Technology, is a non-regulatory government agency that publishes guidelines and technology standards, including standards for encryption and cybersecurity. While the main reason many companies desire to be compliant with the NIST 800-171 standard is so they can work with the federal government’s Controlled Unclassified Information (CUI), having strong standards for encryption and cybersecurity is essential in its own right in a world where over 160 million data records were exposed by breaches in 2019 alone.

Organizations spend enormous amounts of time and effort ensuring they are NIST 800-171 compliant, and even then, they run into small errors or setbacks due to a misunderstanding of the bureaucratic, regulatory language in the guidelines or because of a different minor detail. FullScope IT can help you avoid those problems.

What IS NIST 800-171?

NIST 800-171 is a specific set of guidelines referring to the protection of CUI in non-federal systems. Organizations that want to win contracts with federal agencies and be able to handle federal data often need to maintain the standards in NIST 800-171 or risk losing work. Government agencies need assurance that their CUI is going to be protected, and they take any security risks regarding CUI very seriously.

NIST 800-171 will impact anything that stores, transmits, or protects, CUI, which could include:

• Computers
• Laptops
• Servers
• Mobile devices (Tablets, cell phones, etc.)
• Printers
• Shredders

Additionally, NIST 800-171 not only touches your IT systems, but every aspect of your business that is involved in the processing of CUI. This means a different way of running your business than many small companies are used to, things that historically were more likely to be seen in larger organizations. Here are some examples:

• Change management
• Least privilege
• Role separation
• Multi-factor authentication
• Requirement for the usage of FedRAMP Moderate Authorized cloud vendors when storing CUI in the cloud (DFARS 7012 requirement for DOD contractors processing/storing/transmitting CUI)
• Requirement for the usage of FIPS validated cryptography when used to protect CUI

How do we achieve NIST 800-171 Compliance?

Complying with NIST 800-171 is a large undertaking. It starts with having a system security plan (SSP), and a plan of action & milestones (POAM). The SSP is the document detailing if and how your company complies with each of the 110 controls in NIST 800-171. The POAM details any deficiencies in your current system, how you plan on overcoming them, and when you plan on overcoming them. Federal agencies that require compliance with 800-171 are most likely going to require a copy of your SSP & POAM during the bid award process. Your prime contractors (if you are a sub-contractor), may also request these documents. These documents should be closely guarded and protected, and only released when appropriate and when there is an NDA in place. Many companies create a chopped down version of their SSP/POAM to provide to the government or prime contractors, as only so much sensitive information can be contained in them.

Many companies see NIST 800-171 compliance only as an IT issue – but IT is only one small part. Every part of your organization will be touched by implementing 800-171 - from business development, to HR, to IT, to physical security. The document is not prescriptive for most of its controls, meaning that how you implement the requirements will, most likely, be somewhat unique to your company, but we can help you find the best solutions for you.

If you need to achieve NIST 800-171 compliance, reach out to us to discuss the best path and timeline of implementation for your company and needs. Depending on your size and operational needs, it may make sense to implement a variety of different solutions, such as:

• Implementing a virtual enclave where all CUI is stored and processed, taking the majority of your company out of scope for compliance
• Migrating your CUI processing environment to a FedRAMP Moderate Authorized cloud vendor, where you are able to inherit a large number of 800-171 controls directly from a compliant vendor, and maintain DFARS 7012 compliance in addition to 800-171
• Upgrading security and controls on all your current machines to comply with NIST 800-171

Additionally, if you do not currently have an SSP or a POAM, you will need to create one for your system. Your system entails everything involved in CUI processing, not just a firewall, server or computer. FullScope IT can assist with this aspect of the NIST 800-171 compliance process or work with your preferred cybersecurity vendor if you desire. Documenting processes, policies, and procedures to go along with your SSP are also critical and they will need to be created for your business if they do not already exist.

FullScope IT attacks NIST 800-171 compliance in a different way than many cybersecurity vendors – we go the route of building your compliant IT environment to standard, rather than analyzing your current non-compliant environment like many traditional cybersecurity firms do. We can save you a substantial amount of your cybersecurity budget-- often over $10k for an assessment that simply tells you that you are not compliant, which you most likely already know. Instead you can use that budget where you need it - implementing the controls in 800-171. Our NIST 800-171 compliance focused managed IT services are built from the ground up to meet the needs of federal contractors looking to simplify compliance on the IT side of their business, while working with the other aspects of your business to see the big picture of compliance.

Find out the most commonly overlooked aspects of compliance in our NIST 800 171 compliance checklist!

NIST 800-171 Q & A's

• What is NIST 800-171?

  NIST 800-171 is a set of requirements published by NIST for non-federal agencies to follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security for any of the systems that do so.

• What does NIST stand for?

  NIST stands for the National Institute of Standards and Technology and it is a federal non-regulatory agency.

• What is FIPS?

  FIPS, or Federal Information Processing Standards, are a set of standards that NIST has published for use in computer systems by non-military federal agencies and government contractors. Following FIPS is an important part of NIST 800-171 compliance.

• How Does a Product Become FIPS Validated?

  Products can receive FIPS validation by being independently reviewed and certified by a laboratory approved by NIST. Simply meeting the requirements of FIPS means you are FIPS compliant, but FIPS validation means that an approved lab has issued a company a certification. This certification can be confirmed on NIST’s public website.