How to Get Started with NIST 800-171 Compliance

What is NIST 800-171? [5:05]

The National Institute of Standards and Technology (NIST) issued Special Publication 800-171 to protect controlled unclassified information (CUI) in nonfederal systems. CUI is information which is not classified, but by law either the data must be secured or access to the data must be controlled.   

The basic premise of NIST 800-171 is this: CUI is extremely valuable. If CUI is compromised in any way, whether a federal or nonfederal organization is handling that data, the impact will be just as severe. That’s why steps to protect CUI need to be consistent between federal and nonfederal systems. Any cyber incidents must be reported—whether data was compromised or not.  

The NIST 800-171 guidelines have 14 categories taken from the Federal Information Processing Standards (FIPS) 200 and the moderate security control baseline of NIST Publication 800-53.

Who is required to comply with NIST 800-171?  [9:36]

If you are working on behalf of a U.S. federal agency, are a contractor, or supply services to the government, you need to apply the NIST 800-171 controls to any of your information systems that store, process, or transmit CUI. Additionally, if you’re gathering or maintaining data directly for a government agency, you’ll need to fulfill the full FISMA and NIST requirements—beyond NIST 800-171.

Failure to comply with NIST 800-0171 means you can’t do contracts with the U.S. government.

How do I comply with NIST 800-171? [12:06]

The current deadline to comply with NIST 800-171 is December 31, 2017. While NIST 800-171 includes detailed requirements, the regulation doesn’t dictate how those requirements should be met. The good news is that you’re free to satisfy those requirements however you want to: using software, professional services, or a mix of both.

Because there’s no blueprint for NIST compliance success, organizations will be learning as they go. While there aren’t many “lessons learned” out there from organizations who have already achieved NIST compliance, here’s some advice to consider:  

• Understand the requirements. This free NIST 800-171 guide and compliance checklist may be a helpful place to start.
• Start small. Seek validation that you’re doing what is required. Then, as you see success, expand your program and grow.
• Know the CUI registry. Explore the CUI registry to see how they’re tagging information so you can follow their lead.
• Implement a team. Identify a small group of stakeholders who can help you get the program off the ground. Make sure to include your chief security officer and general counsel, too.
• Document everything. Document as you go so you have records of everything and how it’s working.

What kinds of software and solutions can help? [16:10]

Find a vendor who can help you with NIST 800-171’s multi-faceted requirements. At Fortra we offer a full portfolio of IT and security solutions that can help with evolving compliance requirements.

Jump into the webinar about 17 minutes in to learn about how our solutions can help with NIST compliance.

For a limited time, we’re also offering 30-minute NIST compliance audits with our technical solutions team. We’ll ask a few questions about any steps you’ve already taken towards NIST compliance, and then we’ll share our recommendations to move forward. Request your audit here >