What is NIST SP 800-171
Cyber attacks can have a devastating impact on businesses, including but not limited to negative media attention, the inability to conduct business, damaged corporate reputation and penalties. Most businesses are unaware that they have been attacked until notified by law enforcement, customers, auditors or external resources that raise a concern. Due to increasing privacy requirements and recent cyber attacks, the government has responded by implementing new guidelines and contractual regulations for contractors desiring to do business with them. One such guideline is National Institutes of Science and Technology (NIST) Special Publication (SP) 800-171. In order to ensure that contractors comply with NIST SP 800-171, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 was enacted in November 2013. Contractors have until December 31, 2017 to comply with this new requirement.
In its simplest form, NIST SP 800-171 is a set of information security guidelines for protecting certain types of government information (i.e., controlled unclassified information) that finds its way into your company information systems – think email, cloud services, servers, online faxes, collaboration sites, etc. It is based on a larger set of information security requirements defined in NIST SP 800-53, but has been tailored so you are dealing with a much smaller subset of the overall requirements. Contractors must provide adequate security for this information using the guidelines defined in NIST SP 800-171.
It contains 14 families of security requirements that must be satisfied, ranging from access control to physical protection. If you have provided security for classified information systems in the past, these guidelines should ring a bell because some of them are called out in Chapter 8 of the National Industrial Security Program Operations Manual (NISPOM).
How Does It Affect Me?
Additional Responsibilities. The impact to you as an Industrial Security professional will depend on how your company intends to implement the guidelines and what role you need to play. As is fairly common, your company may want you to take on additional responsibilities because of your role as a Facility Security Officer (FSO). Know that NIST SP 800-171 requires separation of duties to reduce the risk of collusion.
New Reporting Requirements. In order to comply with NIST SP 800-171, your company needs to know what, if any, controlled unclassified information is being collected, stored, used, or transmitted on their information systems. As an Industrial Security professional, you will want to know this as well because NIST SP 800-171 requires the collection and preservation of information (e.g., records and other forensic evidence) related to cyber incidents to be reported to the Department of Defense. These reporting requirements mean you will also need to notify your Cognizant Security Agency (CSA).
Enhanced Security Controls. If your company has classified information systems, you will be familiar with the concept of a System Security Plan (SSP). Creation and maintenance of an SSP is also a requirement under NIST SP 800-171. In the same way classified information systems must be monitored for vulnerabilities and insider threats, NIST SP 800-171 expands this to include company information systems that house controlled unclassified information. As an Industrial Security professional, you need to understand the mapping of NIST SP 800-171 requirements to NISPOM requirements (See Figure 1) so you can confirm the security controls have been implemented, advise those with responsibility how to address any compliance gaps and update your Security Practices and Procedures.
| NIST SP 800-171 Security Requirement | NISPOM Relevant Security Controls |
| 3.9 Personnel Security | |
| 3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI. | 8-302.a.(1) Individuals occupying positions of responsibility for classified ISs meet the security criteria established for those positions |
| 3.9.2 Ensure that CUI and organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | 8-302.a.(2) Classified Information and ISs are protected during and after personnel actions, such as resignations, retirements, terminations, transfers, or loss of access to the system for cause, or the individual no longer has a reason to access the IS; in such circumstances, the individual’s user ID and its authentication will be disabled or removed from the system and the account.
8-302.a.(3) The contractor is required to review audit logs in accordance with CSA-provided guidance, as a component of its continuous monitoring to determine if there are any personnel failing to comply with security policies and procedures and taking appropriate administrative actions. In addition, when circumstances warrant, the contractor will review audit logs, more immediately, if necessary, for inappropriate activity and employ appropriate administrative actions for personnel failing to comply with security policies and procedures. |
Training and Awareness. You need to understand the security briefing and training requirements defined in NIST SP 800-171, which include information security, insider threat, privacy, access control and other briefings. You and your security team may be required to train company personnel as part of the onboarding, termination and security awareness program.
Security Assessments. In addition to the security assessments required under the NISPOM program you need to understand what role you will play in the risk and security assessments required by NIST SP 800-171.
The deadline for compliance with NIST SP 800-171 is fast approaching. Your role as an Industrial Security professional will likely change in one or another. The key to successfully navigating this newest set of regulatory requirements is to ensure you understand how the program will be implemented at your company and what role you are being asked to play. Regardless of the role you play, it would be prudent to review the NIST SP 800-171 guidelines so you can make informed decisions
Comments? We live for them?