Clicky

NIST 800-171 Compliance Checklist: Tutorial & Best Practices - Device42

NIST 800-171 Compliance Checklist: Protecting Controlled Unclassified Information (CUI)

The National Institute of Standards and Technology (NIST) produces security standards, practical guides, reports, whitepapers, and bulletins. These currently add up to around 600 publications open to the public. Initially US-focused, NIST standards are now widely used internationally.

The NIST Cybersecurity Framework (CSF), in particular, is a milestone standard that crosses borders and industries. Various other standards stem from this framework, including the NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is currently in its third revision.

Quick questions and answers

What is NIST SP 800-171 about?

SP 800-171 is about protecting controlled unclassified information (CUI) while it is being accessed, processed, transferred, stored, archived, and disposed of. CUI is the only type of information in the scope of the NIST SP 800-171 standard.

What is controlled unclassified information (CUI)?

CUI is an umbrella term encompassing many different information labels that indicate information that is not classified but should be protected. In other words, it covers any information that law, regulation, or government policy requires to have safeguards. Some examples are personally identifiable information (PII), proprietary business information (PBI), unclassified controlled technical information (UCTI), and law enforcement sensitive (LES) information.

Who should seek compliance with NIST SP 800-171?

Any agencies or companies that have contractual arrangements with US federal agencies and process their CUI need to be concerned about compliance.

What are the requirements of NIST SP 800-171?

There are 17 “families” of requirements to protect the confidentiality and, to some extent, integrity of CUI in nonfederal systems and organizations. These requirements contain detailed guidance and additional observations or recommendations for each.

NIST SP 800-171 logo (source)

NIST SP 800-171 logo (source)

NIST 800-171 Compliance checklist

Now that we have gone through some key facts on NIST SP 800-171, let’s make this 100+ pager standard easy to grasp with the summary table below.

Control family* Requirement Checkbox
3.1 Access Control Account management
Access enforcement
Flow enforcement
Separation of duties
Least privilege
Least privilege—privileged accounts
Least privilege— privileged functions
Unsuccessful login attempts
System use notification
Device lock
Session termination
Remote access
Wireless access
Access control for mobile devices
Use of external systems
External systems—limits and restrictions on authorized use
Publicly accessible content
Account management—inactivity logout
3.2 Awareness and Training Literacy training and awareness
Role-based training
Advanced literacy training
3.3 Audit and Accountability Event logging
Audit record content
Audit record generation
Response to audit logging process failures
Audit record review, analysis, and reporting
Audit record reduction and report generation
Time stamps
Protection of audit information
Audit information access
3.4 Configuration Management Baseline configuration
Configuration settings
Configuration change control
Impact analyses
Access restrictions for change
Least functionality
Authorized software—allowed by exception
User-installed software
System component inventory
Information location
System and component configuration for high-risk areas
3.5 Identification and Authentication User identification, authentication, and reauthentication
Device identification and authentication
Multi-factor authentication
Replay-resistant authentication
Identifier management
Password management
Authentication feedback
Authenticator management
3.6 Incident Response Incident response plan and handling
Incident monitoring, reporting, and response assistance
Incident response testing
Incident response training
3.7 Maintenance Maintenance tools
Nonlocal maintenance
Maintenance personnel
3.8 Media Protection Media storage
Media access
Media sanitization
Media marking
Media transport
Media use
System backup—cryptographic protection
3.9 Personnel Security Personnel screening
Personnel termination and transfer
External personnel security
3.10 Physical Protection Physical access authorizations
Monitoring physical access
Alternate work site
Physical access control
Access control for transmission and output devices
3.11 Risk Assessment Risk assessment
Vulnerability monitoring and scanning
Risk response
3.12 Security Assessment and Monitoring Control assessments
Plan of action and milestones
Continuous monitoring
Independent assessment
Information exchange
Internal system connections
3.13 System and Communication Protection Boundary protection
Separation of system and user functionality
Information in shared system resources
Network communications—deny by default, allow by exception
Split tunneling
Transmission and storage confidentiality
Network disconnect
Cryptographic key establishment and management
Cryptographic protection
Collaborative computing devices and applications
Mobile code
Session authenticity
Internal network communications traffic
System access points
3.14 System and Information Integrity Flaw remediation
Malicious code protection
Security alerts, advisories, and directives
System monitoring
Spam protection
3.15 Planning Policy and procedures
System security plan
Rules of behavior
3.16 System and Services Acquisition Security engineering principles
Unsupported system components
External system services
3.17 Supply Chain Risk Management Supply chain risk management plan
Acquisition strategies, tools, and methods
Supply chain controls and processes
Component disposal

 

* Please note that, at the time of writing, NIST 800-171 is in its third revision, which is open to the public. In this revision, these 17 control families are proposed for approval. This is an expansion from version 2, yet to be retired, which lays out 14 control families.

Explanations

While a summary of what each control entails is given below, the full control descriptions can be read directly in the NIST SP800-171, available for free on the NIST official website.

3.1 Access Control

Undoubtedly the most comprehensive control family, access control lies at the core of any security efforts to protect information, CUI in this case. NIST 800-171 requirements for access control include:

  • Principles, e.g., “separation of duties” and “least privilege”
  • Processes, e.g., account provisioning, maintenance, and disabling; granting associated access rights; and remote access rules
  • System policies, e.g., controlling the flow of CUI between systems, limiting login attempts, session timeouts, and enforcing device locks

Additionally, one key requirement in this group is that the public not have access to CUI. Therefore, any information intended for public release should be reviewed and any CUI removed.

3.2 Awareness and Training

As part of any security program, awareness and training activities are required to educate employees on information security risks they can encounter while performing business activities and on the expected actions from their side. The program should include awareness for new team members, job-related security training, and continuous education for all staff. CUI protection must be part of the awareness program.

3.3 Audit and Accountability

Systems used by the company, and especially software that processes CUI, should enable activity logging and monitoring. All event logs must be tied back to a single entity—whether a human or a system—and timestamps should be attached to them. Monitoring, alerting, and reviewing sensitive actions are part of this category.

3.4 Configuration Management

All systems and their components need a baseline configuration that reflects the company’s IT architecture. Configuration parameters should default to the most secure settings (e.g., the minimum functionality needed), and they should be updated in line with the evolution of the company’s landscape and external threats.

3.5 Identification and Authentication

Arguably a part of access control (category 3.1), identification and authentication refer to the collection of procedures and system-enforced controls to access the company’s environment and its systems. These controls apply to requests coming from users to devices, systems, and networks as well as to requests between the systems themselves. Measures here can include multi-factor authentication (MFA), especially for systems that process CUI; replay-resistant techniques, such as challenge/response authenticators; password standards; and cryptography or biometrics authenticators.

3.6 Incident Response

The company must have a documented incident response plan that deals with cybersecurity incidents, which should be tested periodically through walkthroughs and incident simulations. Capabilities for incident response must be defined, whether they are internal, external, or a combination of both. These capabilities must include detection, analysis, containment, eradication, and recovery.

3.7 Maintenance

It is necessary to conduct hardware and software maintenance both routinely and upon a system malfunction. Maintenance tools and personnel should be approved, controlled, and monitored. One other important requirement here is to prevent the removal of equipment containing CUI from the premises for maintenance purposes.

3.8 Media Protection

Media containing CUI should be physically controlled and securely transported and stored. Media containing CUI must also be marked appropriately to indicate distribution and handling limitations. The data should be disposed of when no longer required by using approved sanitization or destruction methods to prevent any CUI data remanence.

3.9 Personnel Security

Processes must be in place for performing personnel background checks before allowing access to systems. Upon termination, access should be revoked immediately, and all security-related system property (e.g., access tokens and badges) retrieved by the organization. External contractors (such as outsourced developers) must comply with the security policies established by the organization.

3.10 Physical Protection

The premises and information processing facilities must be accessed only by authorized personnel. Access should be controlled with individual and auditable access badges. CCTV, intrusion monitoring, and/or human guards may be deployed to manage physical security. All visitors to non-public areas of the company must be authorized and escorted.

3.11 Risk Assessment

Following the classical steps of a risk assessment—identifying threats and vulnerabilities, determining risks, and responding to risks—NIST 800-171 requires companies to focus on unauthorized access and disclosure related to CUI processing, transmission, and storage. The risk response should reduce risks to an acceptable level determined by the company’s risk framework.

Information gathered by Device42’s discovery, asset management, and dependency mapping capabilities can be used to assist in conducting complete risk assessments.

3.12 Security Assessment and Monitoring

This control family refers to examinations of the security control environment through a variety of means. Control testing is a type of internal assessment that verifies the implementation and effective operation of safeguards. Audits are systematic assessments that ensure independent verification. Self-identified issues that stem from regular day-to-day activities must also be registered and treated.

3.13 System and Communication Protection

A combination of preventive, detective, and corrective system and network controls must be implemented to protect CUI data from unauthorized access, disclosure, alteration, or loss. NIST 800-171 requires, among other things, secure architecture principles (such as “default deny,” “least privilege,” and “zero trust”), data encryption during transmission, separation of environments (development, testing, acceptance, and production), network segregation, and session authentication and inactivity controls. Controls must be applied across the environment, whether on-premises, in the cloud, or a mix of the two.

System and communication protection (source)

System and communication protection (source)

3.14 System and Information Integrity

System flaws identified through regular assessments (such as vulnerability scans), as a result of incidents, or by receiving third-party security advisories should be remediated as soon as possible through patching, hotfixes, and antivirus signature updates. Systems should be designed to prevent malicious code execution, and protection mechanisms, such as spam filtering, should be implemented on servers and endpoints. Finally, all systems should be monitored through a combination of security tools and capabilities.

3.15 Planning

Though it may seem surprising to find “planning” at this point in the list, this section indicates the need for defining security requirements through policies, controls, and training on acceptable use. Requirements should address the handling of CUI, either through dedicated policies and procedures or specific sections.

3.16 System and Services Acquisition

Many times, you may decide that acquiring a system makes more sense than developing it internally. Acquired software needs to meet security engineering principles and provide assurance that it has security embedded in its design, which will help you avoid introducing vulnerabilities into your environment. Acquired software should always be upgraded to the latest versions, supported, and patched immediately in case of discovered exploits.

3.17 Supply Chain Risk Management

One of today’s most prevalent attack vectors is the supply chain. Weaknesses in a vendor’s application can expose your data if security safeguards don’t meet your internal IT standards. Make sure you formulate security requirements for your third parties early in the engagement process, set service expectations, include exit strategies, and monitor compliance through assurance reports and regular reviews.

How to achieve NIST 800-171 compliance

Now you understand what NIST SP800-171 is focused on and have the checklist of requirements that need to be met. What’s next?

The ideal sequence of implementation steps is not implied by the order of items in the checklist. For example, it would be counterintuitive to start implementing system measures for access control (part of the first family, 3.1) before defining policies and procedures (covered in 3.15).

It is recommended to start building your security framework by looking at the current context of your company. Here are 10 steps you can take to prepare for NIST 800-171 compliance:

  1. Start with management engagement and commitment to information security.
  2. Identify how, where, and when you process CUI, so you can define your scope and boundaries. Device42 provides comprehensive IT asset management, enabling you to have an inventory that is always audit-ready.
  3. Build relevant policies—such as a corporate information security policy, asset management policy, secure development policy, etc.—that include requirements for processing CUI.
  4. Run a self-assessment of your security posture to identify threats, vulnerabilities, and the impact of potential risks.
  5. Treat risks and close gaps by implementing all 800-171 requirements applicable to your environment.
  6. Define lower-level documents: operational procedures, baselines, and guidelines.
  7. Train people on the acceptable use of information assets, especially those that process CUI.
  8. Test processes periodically to assess whether controls continue to be adequate.
  9. Identify control failures and plan for remediation.
  10. Continue to monitor and improve your security measures.
The world’s most sophisticated asset discovery and mapping tool for compliance and audit

Learn More

Fastest time to value with easy implementation

Discover assets automatically including hardware, software, and cloud infrastructure

Integrated cost, security certificate

Uncover and update application mapping dependencies using algorithms

Broadest coverage of every legacy OS

Meet your compliance and audit requirements comprehensively and confidently

Key points and summary 

NIST 800-171 is not one of the most popular standards, as it narrowly focuses on a specific scope: protecting controlled unclassified information (CUI). However, if your company has any contractual arrangements with federal agencies, you will likely have to implement the requirements it details.

Revision 3 increases the number of control families from 14 to 17, collectively accounting for 109 requirements. These are listed in the NIST 800-171 compliance checklist. These controls range from system security safeguards to security controls for processes and measures for improving personnel security behavior.

End-to-end compliance with NIST 800-171, or any standard for that matter, requires a strategic approach that starts with top-down engagement and continues with self-assessments, policy and process improvement, control implementation, employee awareness, and, finally, continuous improvement of the security posture.

NIST 800-171 compliance starts with identifying where CUI is being processed across your environment. Device42 makes information asset discovery, inventory, and dependency mapping easy. Real-time dashboards of your systems, tools, versions, status, and other critical information help you avoid blind spots in your efforts to secure sensitive data.

Like this article?

Subscribe to our LinkedIn Newsletter to receive more educational content

Subscribe now