NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
The National Institute of Standards and Technology (NIST) released NIST SP 800-171 in 2015. The primary objective was to ensure the protection of controlled unclassified information (CUI) in nonfederal agencies. A year later, DFARS (Defense Federal Acquistion Regulation Supplement) added the 252.204-7012 regulation that mandated any nonfederal agency handling or trasnmitting CUI had to safeguard that data as per the NIST guidelines.
From 2016 until the present, the standard has undergone a few different modifications. The next major revision, however, was r2, which was released in 2020.
You probably know that if you work with the Department of Defense, NASA, or certain other federal and/or state agencies,you must be able to verify that your organization is properly handling CUI. If you are not NIST 800-171 compliant, certain contracts will be out of reach, meaning you could lose existing customers and also lose potential future customers. What exactly is involved in complying with NIST SP 800-171?
The NIST SP 800-171 requirement covers fourteen control families, 110 controls, and 320 objectives. While there is a lot to know, there are also tools and experts that will guide your organization from start to finish. In the interim, here is a quick review of what the fourteen control families require.
Access Control is the first family and it is also the biggest, with 22 controls in total. As the name suggests, these controls and objectives help to protect the confidentiality of CUI your organization stores or transmits.
The awareness and training segment focuses on providing managers, employees, administrators, and anyone else who might come into contact with CUI with the training they need to be compliant. Most hacking events occur because of human error. The best preventive medicine is thorough, high-quality training. These controls and objectives concentrate on how organizations can ensure this training is taking place on a regular basis.
The Audit and Accountability segment includes nine controls. Independent and self-assessments are extremely important in the compliance process, and third-party assessments will become more important in the months and years to come. Companies must be able to prove through the audit process that they are complying and correcting any errors that have occurred.
The Configuration Management family also incorporates nine controls. In order to comply with NIST 800-171, an organization needs to ensure it has control over user-installed software as well as any other changes that might made to the company’s systems.
There are eleven controls in the Identification and Authentication family. As the name suggests, these controls and objectives concentrate on any users and devices that will be accessing data.
It might be surprising that there are controls having to do with Incident Response. After all, NIST compliance is meant to ensure that there are no incidents where data breaches are concerned. Nonetheless, sometimes risks are detected, and sometimes emergencies happen. An organization needs to have a plan in place so that remediation can occur as soon as possible.
This family is fairly straightforward. Organizations that handle CUI need to be perpetually vigilant. The assessment process assists with this, but even between assessments, there should be steps in place to make sure everything is as it should be.
This family calls for the security of all system media that contains CUI, regardless of whether that media is paper or digital.
Often it is assumed that cybersecurity compliance would impact only the digital world. However, security requirements covered by this standard include physical safety as well. Hardware, software, and any other data storage equipment need to be protected by an organization that handles CUI.
Personnel Security is another straightforward control family. It requires protection for all employees, meaning any information pertaining to the employee’s personal details need to be secured. This would include termination and transfer paperwork, onboarding information, and more.
Risk assessment controls in NIST 800-171 specify that all potential risks to IT and critical systems need to be assessed regularly.
A security assessment requires the regular review of security controls to determine how effective they are and what actions are needed to improve upon vulnerabilities.
The System and Communication Protection [link to child page] family is another large group of controls – 16 in this case. This is where monitoring and protecting information that flows through IT systems is outlined.
This final control family is not at all surprising. It requires organizations to protect data from malicious code. If issues are spotted, they need to be remediated as soon as possible.
After reviewing all of the families and only some of the controls, it is easy to tell that pursuing a CMMC certification can be a significant time investment for your organization. Why go through this process?
The most obvious reason to pursue compliance is it could be mandatory for your company. If you are a contractor or sub-contractor for the Federal Government, there is a strong likelihood you are receiving CUI you need to protect. Contractors with the DFARS 252.204-7012 clause in contracts have actually been mandated to comply with this standard since 2018.
While CMMC is geared toward protecting CUI, pursuing the certification and going through the continuous assessment process will increase the health of your organization. Essentially, your team will be implementing best practices in cybersecurity from the top to the bottom.
There is never a good time for a cyberattack or a data breach, especially if you handle CUI. The immediate repercussions can be devastating enough. Once a company undergoes an incident, it is extremely difficult to regain trust from partners, customers, and vendors. With a CMMC (NIST 800-171) certification in place, an organization can feel confident that most vulnerabilities have been identified and addressed. They also know that if an incident does occur, they will be able to fix the issue quickly and effectively.
NIST 800-171 requires an organization to have a crisis plan in place, whether a vulnerability has been spotted or whether an actual ransomware attack or data breach has occurred. Everyone in the organization, and everyone with whom the organization works, will have confidence that should an issue occur, it will be dealt with in the most efficient way possible.
If you are not CMMC-certified and your organization experiences a cyberattack or a data breach, you will not only have to deal with that actual issue. Without the certification, your company can be found liable for any damages your clients experience as a result of the incident. Moreover, if your organization has handled federal CUI, the government can also fine your business. All of this adds up to a lot of financial impact to handle on top of the cost of getting your business back up to working speed. The benefits of going through the certification process seem clear when viewed through this prism.
If you are a manufacturer seeking CMMC/NIST compliance, our CMMC for Manufacturers page page offers more resources and FAQs.
If you are seeking a CMMC Third-Party Assessor Organization (C3PAO), working with our experts will be the best choice for you. Smithers focuses on relationships, not transactions. With that in mind, you will experience consideration of your time and budget, reliable service, continuous assessments, and the highest standards of performance. To learn more about the certifications we offer or what is the best next step for you, schedule a 30-minute meeting with our cybersecurity experts today.