NIST 800-171 Regulation: How It Affects IT Professionals

Putting the NIST 800-171 Regulation in Context

Today the federal government relies extensively on external contractors and service providers to perform a wide variety of missions and federal business functions. Federal contractors routinely possess and process sensitive information in their systems to deliver the products and services federal agencies require. Information may also be passed from one nonfederal organization to another, such as sharing information with state and local governments or research universities.

From hosting email servers and websites to developing the next generation of equipment for our war fighters, protecting the federal government’s data is critical to the success with which the federal government can carry out its essential functions.

With cybercrime and data breaches continuing to grow, standardization of the methods utilized to protect Controlled Unclassified Information (CUI) were needed. National Institute of Standards and Technology (NIST) Special Publication 800-171 focuses on protecting the confidentiality of CUI in nonfederal systems. CUI is information which is not classified, but according to a law, regulation or government policy, must be protected—or have access controlled. The CUI program addresses many issues, including consistency in marking and identifying CUI, proper safeguarding of the information, and too many restrictions on the availability of certain data.

NIST SP 800-171 re-enforces the point that CUI has the same value and (if compromised) the same impact, regardless of whether the information is handled by a federal or nonfederal organization. Therefore, the security requirements for protecting CUI were developed with the following assumptions:

Statutory and regulatory requirements for the protection of controlled unclassified information (CUI) are consistent for both federal and nonfederal systems.
Steps taken to protect CUI are consistent between federal and nonfederal systems.
The confidentiality impact value for CUI is no less than moderate.

The requirements are derived from Federal Information Processing Standards (FIPS) Publication 200 and the moderate security control baseline of NIST Publication 800-53 (The moderate security control baseline must be used due to the confidentiality impact value of moderate). These requirements have been proven over time to provide an effective means of protecting the confidentiality of federal information and systems. The requirements have been tailored specifically for nonfederal systems and organizations to minimize adverse consequences while allowing them to comply with statutory regulations and consistently implement the required safeguards for protecting CUI. This is not intended to dilute the security requirements but to express them in a manner that allows for and facilitates the application of equivalent safeguarding measures in nonfederal organizations.

Key Provisions of NIST Special Publication 800-171

NIST 800-171 contains fourteen groupings (referred to as “families”) of basic security requirements obtained from FIPS Publication 200. FIPS 200 provides high-level fundamental security requirements for federal information and systems. These families are defined as follows:

Security Families
Access Control	Media Protection
Awareness and Training	Personnel Security
Auditing and Accountability	Physical Protection
Configuration Management	Risk Assessment
Identification and Authentication	Security Assessment
Incident Response	System and Communications Policy
Maintenance	System and Information Integrity

Each of these fourteen families may contain one or more derived security requirements taken from the controls in NIST Publication 800-53 which supplement the basic security requirements.

The requirements and controls have been tailored to eliminate:

Unique federal government items (i.e. primarily the responsibility of the government)
Items not directly related to protecting the confidentiality of CUI
Controls expected to be routinely satisfied in the normal course of an organization’s business

Two points to note:

While NIST SP 800-171 recommends specific security requirements meant to protect CUI residing in these nonfederal systems, it does not alter any Federal Information Security Management Act (FISMA) or NIST security requirements or guidelines that apply to federal agencies.
A distinction is made between nonfederal organizations that are processing information or operating systems not on the behalf of federal agencies and those that are working on the government’s behalf. Nonfederal agencies collecting data, maintaining data, using systems or operating systems on behalf of a federal agency must comply with FISMA including FIPS Publication 200 and the security controls in NIST Publication 800-53.

Implementing NIST Special Publication 800-171

SP 800-171 does not dictate exactly how the security requirements are to be met. Organizations have the freedom to implement the requirements using software, services or managed services or to implement compensating controls—if the requirement is satisfied.

Once the organization determines how each security family will be addressed, it should create a system security plan which describes how the specified security requirements have been met, or how they are planned to be met. The system security plan should specify system boundaries, operational environments, how the requirements are implemented, and relationships with other systems. In addition, nonfederal organizations should develop a Plan of Actions & Milestones (POA&M) to detail how unfulfilled security requirements and compensating controls will be implemented.

The following section provides a checklist to assist with the implementation of NIST 800-171.

NIST 800-171 Compliance Checklist

Find out what each requirement of NIST 800-171 means and how Fortra solutions can help you comply in the table below or by downloading the checklist.

Requirement	What It Means
Access Control	Limit system access to only authorized users and the processes acting on the behalf of authorized users. Limit system access to the types of transactions and functions that authorized users are permitted to execute. Limitations should include: Controlling the flow of data through the organization Separating the duties of individuals to minimize the risks of malevolent activities Employing the concept of least privileges Using non-privileged accounts for non-security functions Limiting unsuccessful logins Monitoring remote connections How Fortra can assist: Use Powertech Security Auditor to audit and document the compliance of organizational computer systems and fix non-compliant items. Ad-hoc and scheduled reports provide actionable data to meet regulatory requirements. Automate workflows eliminate errors and provide consistency for internal process such as user provisioning, data processing, and systems management. The Fortra Security Services team can architect and implement compensating controls and perform remediation tasks. With Powertech Identity & Access Manager (BoKS), you can default to least privilege to close security gaps through a centrally managed security domain. Use Powertech Event Manager to monitor user activities including unsuccessful login attempts, remote connections and non-privileged use.
Awareness and Training	Ensure managers, system administrators, and users of an organization’s IT assets are made aware of the security risks associated with their activities. Ensure that organizational personnel are adequately trained to carry out their information security-related duties including providing security awareness training on potential indicators of threats. How Fortra can assist: With live, in-person training, and informative webinars, our security experts can help your team stay on top of changing cybersecurity trends. Alternatively, you can use Fortra Managed Security Services to supplement your staff and ensure your systems remain under the watchful eye of skilled resources.
Audit and Accountability	Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity. Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. This includes: Alerting in the event of an audit process failure Providing audit reduction and report generation to support on demand audit analysis and reporting Protecting audit information from unauthorized access Ensuring time synchronization is active How Fortra can assist: Monitor the status of processes and services like AUDIT and NTP with Powertech Security Auditor ensuring that they are actively working. Automate monitors and processes the audit files ensuring that auditing information is being recorded appropriately. It also alerts you to anomalies for follow up by security personnel. Powertech Compliance Monitor for IBM i provides comprehensive IBM i audit journal reporting and retention. Tripwire Enterprise provides change monitoring and automates compliance evidence of configuration and file changes. Webdocs automatically archives and stores your audit reports. Centralize log streams from operating systems, network devices, and other applications using Powertech Event Manager. Event Manager normalizes disparate data sources and provides alerts for security events. Capture detailed audit records for file transfer activity using GoAnywhere MFT. Automatically consolidate user activity logs and produce compliance-specific reports with Powertech Identity & Access Manager (BoKS).
Configuration Management	Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Establish and enforce security configuration settings for information technology products employed in organizational systems. This includes ensuring that you can: Track, review, approve, disapprove, and audit all changes to organizational systems Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services Analyze the security impact of changes before making them How Fortra can assist: Leverage Tripwire Enterprise for continuous configuration monitoring to maintain a secure baseline and alert security teams of non-compliant systems and misconfigurations. Use Automate to manage the lifecycle of the change control process. Gain visibility and control of data flows, open ports, and unauthorized network devices that can compromise system security with Intermapper. Ensure only authorized software is active and enabled with whitelist/blacklist functionality that Powertech Security Auditor provides. Security Auditor also monitors critical configuration files, alerting an organization to any unauthorized alterations. Protect system software and file storage using Powertech Antivirus preventing malicious activity and ransomware exploits. Managed Security Services monitors an organization’s systems and provides monthly reporting and remediation assistance for security compliance issues. Use Powertech Identity & Access Manager (BoKS) to auto-import from asset management systems and activate known and authorized system, server, and virtual machine images. Automatically attach the correct access management security policies based on the defined host type(s) from known user roles and job functions. Use Powertech Event Manager to detect security events in real-time from multiple data sources in a centralized response platform.
Identification and Authentication	Identify system users or processes acting on behalf of users or devices. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems. This includes the ability to: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Prevent reuse of identifiers for a defined period Prohibit password reuse for a defined number of generations Enforce minimum password complexity rules How Fortra can assist: Secure system access using Powertech Multi-Factor Authentication or Powertech RSA SecurID Agent for IBM i integration to provide multi-factor authentication. Audit and report on password compliance across the organization with Powertech Security Auditor. Use Automate to onboard and provision users in a secure and managed fashion compliant with organizational policies. When users leave the organization, ensure a clean and consistent exit process with Automate tasks and workflows. Use Powertech Identity & Access Manager (BoKS) to match and populate the correct users in your corporate databases with define user accounts. Easily audit and report on user activities using Powertech Event Manager.
Incident Response	Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. This includes testing the organizational incident response policy. How Fortra can assist: Incorporating software and services from Fortra into the incident response process provides faster and more consistent responses to operational threats. The Security Services team can perform Risk Assessments and POA&M guidance. Use Powertech Identity & Access Manager (BoKS) to accept authorized API-based configuration changes to lock down systems or user accounts tagged as misused or at risk.
Maintenance	Perform maintenance on organizational systems. Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance, including: Sanitizing equipment when it is taken off-site for maintenance or disposal Checking media containing diagnostics and test programs for malicious code before using it in the organization Requiring multi-factor authentication to establish non-local maintenance sessions Supervising the activities of maintenance personnel How Fortra can assist: Collect and report on maintenance activities with Automate tasks. Prevent malicious code from entering the organization with Powertech Antivirus. Use Powertech Multi-Factor Authentication or Powertech RSA SecurID Agent for IBM i for multifactor authentication sessions. Use Powertech Identity & Access Manager (BoKS) to ensure only authorized users carry out maintenance activities. Require MFA authorization and keystroke logging to gain full visibility.
Media Protection	Protect (e.g. physically control and securely store) system media containing CUI, both paper and digital. Limit access to CUI on system media to authorized users. Sanitize or destroy system media containing CUI before disposal or release for reuse, including: Marking media with necessary CUI markings and distribution guidelines Controlling the use of removable media Prohibiting the use of portable storage when the devices have no identifiable owner Controlling access to media containing CUI and maintain accountability during transport How Fortra can assist: Use Automate tasks and workflows to process and track media as it moves throughout the organization. Robot Save and BRMS protect and track media backups for IBM I systems. Robot HA and Power HA eliminate the need for physical backups by replicating data offsite for real time data redundancy and the use of VTL for electronic backups offsite. Use GoAnywhere MFT to securely retrieve and compile information from media devices.
Personnel Security	Screen individuals prior to authorizing access to organizational systems containing CUI. Ensure that CUI and organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. Fortra can assist: Use Automate to onboard and provision users in a secure and managed fashion compliant with organizational policies. When users leave the organization, Automate ensures a clean and consistent exit process. Protect the integrity of organizational systems with Powertech Security Auditor and Powertech Event Manager. Use Powertech Identity & Access Manager (BoKS) to automatically provision and de-provision users to better secure your environment and help mitigate risks.
Physical Protection	Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. Protect and monitor the physical facility and support infrastructure for organizational systems, including: Escorting visitors and monitor visitor activity Maintaining audit logs of physical access Enforcing safeguarding measures for CUI How Fortra can assist: Use Powertech Identity & Access Manager (BoKS) to define location based access controls, using different credentials at different locations. Protect critical CUI data with Automate, Intermapper and Powertech Security Auditor.
Risk Assessment	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. This includes ensuring that you can: Scan for vulnerabilities in systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified Remediate vulnerabilities in association with their level of risk How Fortra can assist: Scan systems and applications with Powertech Antivirus. Fortra Security Services team can perform penetration testing, risk assessments, and remediation and POA&M services. Find and prioritize security vulnerabilities with a free Fortra Security Scan.
Systems and Communications Protection	Monitor, control, and protect communications (i.e. information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. This includes: Separating user functionality from system management functionality Denying network communication traffic by default and allow network traffic by exception only Terminating network connections associated with communication sessions at the end of the session or after a period of inactivity Implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks Encrypting CUI data in transit and at rest How Fortra can assist: Document and assess security controls with Powertech Security Auditor. Use Intermapper to monitor and control the information flow on connected network devices. Use Powertech Exit Point Manager for IBM i to control CUI leaving IBM i partitions. Secure data in transit with GoAnywhere and encrypt IBM i data at rest with Powertech Encryption for IBM i. Use the Security Services team to implement software, remediate deficiencies, and develop POA&Ms. Use Powertech Identity & Access Manager (BoKS) to build a role-based access management security policy that is consistent across your cloud infrastructure. Centrally define which specific network access protocols are supported and ban insecure protocols. Centralize log streams from operating systems, network devices, and other applications using Powertech Event Manager. Event Manager normalizes disparate data sources and provides alerts for security events.
System and Information Integrity	Identify, report, and correct information and system flaws in a timely manner. Provide protection from malicious code at appropriate locations within organizational systems. Monitor system security alerts and advisories and take appropriate actions in response, such as: Updating malicious code protection mechanisms when new releases become available Performing periodic scans of organizational systems Monitoring organizational systems including inbound and outbound traffic to detect attacks and indicators of potential attacks Identifying unauthorized use of organizational systems How Fortra can assist: Protect systems from malicious code with Powertech Antivirus. Periodically scan and audit systems with Powertech Security Auditor and Fortra Security Scan and Risk Assessor for IBM i. Identify unauthorized or inadvertent file and system changes with Tripwire Enterprise. Protect systems from attack by monitoring inbound and outbound traffic with Intermapper. Identify misuse by mining actionable data from audits and logs using Automate tasks. Better secure your environment, increase incident reaction time, and help mitigate identity-related risks with Powertech Identity & Access Manager (BoKS). Use Powertech Event Manager to detect security events in real-time from multiple data sources in a centralized response platform.

→ Download the checklist ←

Take the Next Step

Take the next step toward NIST 800-171 compliance. Our IT and cybersecurity experts would love to talk to you to assess your current needs and help you find the right solution.

LEARN ABOUT INTERMAPPER

NIST 800-171 Cybersecurity Regulation: How It Affects IT Professionals Everywhere

Putting the NIST 800-171 Regulation in Context

Key Provisions of NIST Special Publication 800-171

Implementing NIST Special Publication 800-171

NIST 800-171 Compliance Checklist

→ Download the checklist ←

Take the Next Step

Contact Information

Privacy Policy

Cookie Policy

Impressum