On December 31, 2017, all businesses that work with the DoD were required to be in compliance with NIST 800-171. So, what is the NIST 800-171 standard?
What is NIST 800-171?
The NIST (National Institute for Standards and Technology) 800-171 standard relates to secure file sharing and information governance. To put this standard into the simplest of terms, it covers how you store, access, exchange, and govern sensitive (but unclassified) information with the DoD. Information under NIST 800-171 can be broken into two distinct types, Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI). So, how can a firm ensure they are in compliance with NIST 800-171?
How Can a Contractor Demonstrate Compliance With NIST 800-171?
There are several steps that a business can take to ensure NIST 800-171 compliance. When evaluating compliance, it is essential to locate and categorize information. Once an organization conducts an evaluation, the organization must then put a limit on information access and ensure a monitoring system is in place to guard against unauthorized access.
Compliance Step # 1: Locate systems in your network that contain CTI/CUI. Businesses need to review all locations where CTI/CUI may be stored. This includes central file shares, endpoints, mail servers and any system where files may have been shared, stored or transferred.
Compliance Step # 2: Categorize files and separate out CTI/CUI information. The NIST 800-171 regulation outlines the various categories of CTI/CUI information that must be categorized and labeled accordingly. Due to the wide-ranging nature of CTI/CUI data, there are many different categories that must be used. These categories are described in detail on the National Archives website.
Compliance Step # 3: Limit access to CTI/CUI data to only personnel who are authorized to use such information. This also includes limiting access based on the type of CTI/CUI data as categorized in step #2. For example, an employee who requires access to sensitive financial data would not necessarily require access to sensitive critical infrastructure data, and these types of accesses must be segregated.
Compliance Step # 4: Monitor all systems that have CTI/CUI information on them. Also, keep a log of who accesses the systems and when. This can be done with simple file access monitoring available in most software platforms. However, businesses must ensure the logs are accurate, complete and preserved for a sufficient duration. Additionally, this monitoring requirement must ensure the information cannot be accessed through the use of “shared” or “non-attributed” accounts as access logs would not be useful in such cases.
Partner with Entrust Solutions Today
For businesses that partner with the DoD, it is vital to be compliant with NIST 800-171 to continue to work on DoD projects. By going through the simple process outlined above, compliance with NIST 800-171 can be guaranteed and demonstrated in the event of an audit.
If you are a business operating within the DoD contracting community and have concerns regarding your compliance with NIST 800-171, it is time to contact the security experts at Entrust Solutions. At Entrust Solutions, we provide premier security consulting services that aid businesses with their security compliance.