What is Important to Know About NIST 800-171?

Adherence to security protocols is nothing new for people who work in federal cyber and data security circles. NIST SP 800-53 has been around for a while, and edition 5 is in the final official draught. The Federal Information Processing Standard (FIPS) Publication 200 control categories and the NIST SP 800-53 basic security control baseline served as the foundation for the security controls outlined in NIST 800-171, which are simpler to understand. The controls in SP 800-171 are focused on preserving CDI’s secrecy, but integrity and availability shouldn’t be disregarded as they are fundamental components of an information security program. Since these controls can be complicated to understand, DoD companies prefer hiring CMMC consulting firms.

Although NIST 800-171 only covers a portion of the standards outlined in NIST 800-53, it is a complicated process to comply with, particularly for small and medium-sized federal contractors. 110 security standards are outlined in NIST 800-171 over 14 control families. The following are some of the specifications that government vendors should pay close attention to since they demand more effort to comply with (either technically, procedurally or both):

Accountability and Audit (3.3.5 and 3.3.6): A crucial area of government control is auditing. The who, what, when and where of operations on an information system are revealed through audit events. The contractor (and the government) are essentially left in the dark when attempting to reconstruct events that transpired on the network in aid of an investigation without the inspection logs recording the activities happening on the information system. The correlation between the auditing process, assessment, and reporting processes is outlined in requirements 3.3.5 and 3.3.6, which also outline the necessity of audit reporting and reduction to allow on-demand analysis and reporting.

This goes beyond the conventional method of configuring the information system’s components to produce Syslog events and deliver them to a centralized Syslog server. The inspection and analysis procedure must make the substance of the audit logs known to the contractors. To facilitate “on-demand analysis,” specific activities of interest must be recognized, selected from the comprehensive audit information collection (reduced), and reported on. There are various technical ways to meet these criteria. Still, contractors shouldn’t undervalue the time it takes to comprehend the systems’ auditing capabilities, configure them properly, and create a baseline – all of which must be done before a technical execution can be implemented.

Multifactor authentication (MFA) for internal and network access is required by Identification and Authentication (3.5.3). There are numerous MFA options available, and it’s nice to know that neither a DOD Common Access Card (CAC) nor a Personal Identity Verification (PIV) from the federal government is necessary. MFA needs to be a well-integrated architectural solution for the system that communicates, analyzes, and retains CDI. Users already find passwords, and the complex regulations they must follow are frustrating. While adding another layer of authentication is vital, if it is not handled in a way that has minimal adverse effects on users, it may cause more user annoyance.

The requirement is for an “operational” incident handling capability, with “operational” denoting that the issue handling capability is functional and addresses every stage of the incident management process. Incident Response (3.6.1). A shelf-ware plan and set of procedures cannot support incident handling as a standalone program. CMMC compliance and cybersecurity incident handling is a specialist field that requires specialized knowledge and technical proficiency.

A group of people from administration down to those with the technical know-how to conduct forensics, solve the issue, and restore the system are also involved. To keep up with the constant changes in people and technology within a company, the plan must be periodically used (preferably quarterly). All employees of the incident management team must take part in an exercise at least once a year, even if it is not a lengthy or time-consuming occurrence.

Assessment of security (3.12.1 and 3.12.3): The system’s security controls must be “regularly assessed” and “monitored…on an ongoing basis” to make sure they remain functional. Put simply, start a regimen of ongoing observation. Constant monitoring necessitates active participation from organizational workers, including network and security administrators, just like incident response. Controls that address the system’s high-risk areas should be regularly monitored, while SP 800-171 is not prescriptive about which controls must be scanned or how frequently (e.g., at least monthly).

One instance is maintaining the security settings for information system components (see 3.4.2). Security configurations, such as system hardening, must be supported continuously and consistently. This is a useful control to automate as well. Automate as much of the program for continuous monitoring as you can.