How to Comply with NIST 800-171

How to Comply with NIST 800-171 by Blake Curtis is licensed under a Creative Commons Attribution 4.0 International License. Based on a work at https://www.dhirubhai.net/in/reginaldblakecurtis/. 

In short, you can do anything with this content as long as there is an attribution/link back and your modification is shared with the same or compatible license. Use this citation format: How to Comply with NIST 800-171. Blake Curtis, LinkedIn.

WHAT IS NIST?

The National Institute of Standards & Technology (NIST) provides a policy framework of security guidance for how the private sector can assess and improve their ability to treat various types of cyber-risks.

NIST’s cybersecurity framework leverages business drivers to improve an organization’s risk management practices and establish activities to reduce risks.

OK, SO... WHAT IS NIST 800-171?

NIST 800-171: Controlling Unclassified Information in Nonfederal Systems & Organizations is a special publication that defines information security standards, guidelines, and minimum requirements for non-federal information systems storing, transmitting, or processing controlled unclassified information (CUI). Defense Federal Acquisition Regulations (DFARS) 252.204-7012 requires the implementation of NIST 800-171 to meet its protection requirements. This publication affects institutions that contract with the U.S. federal government to manage CUI. CUI is information that is concerning but not necessarily perceived as secret or confidential. However, CUI requires safeguarding to comply with applicable law, regulations, and government-wide policies. For further clarification, the government uses four classifications to classify information.

1. Unclassified
2. Confidential
3. Secret
4. Top Secret

Unclassified information is an identification or marking that signifies that information is not deemed as sensitive (from the government’s perspective) and is acceptable for consumption by citizens such as DoD contractors, private investigators, and researchers. The government leverages the “confidential” classification for data or information that could cause damage if divulged or exposed without authorization. Loss of “secret” data could cause serious damage, but not as significant as “top secret” data. The exposure of “top secret” data could potentially cause significant damage to an organization’s operations.

Differences Between Government & Business Classifications

Please note that government classification and business classifications differ significantly. What may be deemed as low and consumable for citizens by the government could have a major impact on an organization, especially if the business classifies that same data as sensitive, critical, or if it provides the business with a competitive advantage. Data classification is the enterprise's ability to classify and prioritize business processes, data, and systems by considering its sensitivity and criticality (importance). For more information on data classifications and minimum security requirements, please reference "Using Data Classifications for Effective Decision Making" by Blake Curtis

SO HOW DO I BECOME NIST 800-171 COMPLIANT?

Three Holistic Components

There are three holistic components we need to complete for a NIST 800-171 assessment. Those components are comprised of documentation, reviews, and the authorizing official’s (project sponsor’s) approval. However, just because we’ve completed these steps does not mean that our program is compliant. Your program needs to be independently assessed and verified by a third party that doesn’t have a vested interest or bias in the completion of your project or success.

Your client organizations must be able to communicate the need for a compliant environment and engage its risk, compliance, and security teams to create documentation that substantiates their conformance to NIST 800-171. They must also demonstrate the employment of ongoing monitoring measures to assure continuous compliance. Subsequently, there are various levels of review that must be accomplished throughout the certification and accreditation process.

Documentation

There is a tremendous amount of documentation associated with any NIST 800-171 effort. For example, a complete assessment of one of my client organizations comprised just four systems and a virtualized file & print server that resulted in over 300 pages of documentation! So here’s the scary part.....This was only the preaudit! A pre-audit is a readiness assessment that allows the business to ensure administrative, technical, and physical controls are appropriately documented. To become compliant, the client organization must also undergo a Security Assessment (certification and authorization) by an independent assessor. Necessary documentation includes but is not limited to:

• NIST 800-171 System Security Plan (SSP)
• NIST 800-171 Plan of Action & Milestones (POAM)
• NIST 800-171 Policies & Standards
• NIST 800-171 Response Procedures (SOPs)
• NIST 800-171 Evidence & Artifacts
• NIST 800-171 Network Diagram
• NIST 800-171 Compliance Log (compliance tracking mechanism)

For more information regarding the difference between policies and standards, and how to create a policy hierarchy to comply with various requirements please refer to "How to Create a Cybersecurity Policy Hierarchy" by Blake Curtis.

Reviews (Audit/Assess)

Once the business area has completed its required documents, your internal audit, risk & compliance departments will need to review each document to ensure the business unit’s evidence is relevant, reliable, and sufficient. I strongly suggest leveraging two independent internal parties to review each response to the 800-171 control objectives. The organization should ensure at least one party has hands-on experience in information technology and/or security to ensure risks are appropriately identified and mitigated.

To provide more clarity, please reference the suggested workflow:

1. The business unit populates the NIST response procedures (SOPs), NIST Evidence & Artifacts) and switches the response status to “Awaiting Internal Audit's Review” in the compliance log.

2. Internal Audit reviews the policy, standards, responses and evidence and changes the status to “Awaiting IT Risk's Review” if no deviations are found.

Note: If the internal audit department has any reservations regarding the reliability, sufficiency, or relevance of the response, they will provide the business unit with an audit opinion and recommendation on how to better substantiate their claims.

3. The IT risk department reviews the responses and changes the status to “Awaiting Final Review” if no deviations are found.

Note: If the IT risk department has reservations regarding the evidence, policies, or procedures, they will provide the business unit with their opinions & recommendations.

4. The Authorizing Official (sponsor) or delegated authority (business unit manager) performs the final review and changes the status to “Approved”.

Certification & Accreditation Process (Approval)

At the closure of the project, the final sign-off on the SSP is completed. The following are a suggested list of important roles that should be considered during this process.

1. Chief Information Security Officer - ensures the appropriate application of safeguards and countermeasures and ensures that policies reflect senior management's intent, direction, and objectives.

2. Director of Risk or Audit - certifies that controls exhibit both design and operational effectiveness and provides an audit opinion and conclusion of the operating environment.

3. Director of Client Organization - acts as the authorizing official or system owner depending on the organizational structure and is responsible for ensuring risk are within an acceptable level and approving the implementation based on an established set of specifications and controls.

Once the SSP is approved, the business unit can proceed to the next steps such as signing the contract or agreement, initiating personnel training and beginning the work. It is important to note these next steps are contingent on SSP approval.

7 STEPS TO NIST 800-171 COMPLIANCE

SO...IS THAT ALL?...OF COURSE NOT

Certifying Your Compliance Program

Please note, that the 7 steps are just the minimum requirements needed to establish an effective compliance program. There are 14 control families and a total of 110 requirements. Each control objective (security requirement) must be supported by policy, standards, and evidence. Each security requirement must have a strong balance of control types, classes, and implementations. For example, each control or set of controls must have the ability to:

• Detect, Prevent, & Correct

be implemented as:

• Administrative, Technical, and Physical

and evaluated based on its

• Automated vs Manual implementation

For more information on Control Effectiveness & Control Diversity, please reference "If You Think Auditing is Boring, You're Probably Doing it Wrong" by Blake Curtis

Once you have successfully implemented your compliant environment, you will need to work with your internal audit/risk department to evaluate the effectiveness of safeguards and countermeasures. It is critical that we assure that the risk associated with the program is within acceptable levels and that the authorizing official and sponsor are satisfied with the implementation.

More Considerations Equates to More Complexity

Recently, NIST released the 800-171B draft. The DoD also released the Cybersecurity Maturity Model which introduces even more complexity and difficulty for DoD contractors and research organizations who need to become NIST 800-171 compliant.

NIST 800-171B for High-Value Assets

The NIST 800- 171B draft is comprised of a set of enhancements and recommendations that organizations can leverage for information assets that have higher levels of intrinsic risk and impact on the project or organization.

Reference: https://csrc.nist.gov/publications/detail/sp/800-171b/draft

The Cybersecurity Maturity Model

The Cybersecurity Maturity Model is a measurement scheme similar to the Capability Maturity Model Integrated (CMMI). Various organizations and sponsors will evaluate maturity by measuring the effectiveness of the cybersecurity program by assessing the presence of policies, standards, procedures, and how much of the program is automated versus its dependency on manual intervention. This means that sponsors may require your organization to comply with a specific maturity level to participate in sensitive activities and even to receive research grants!

References: https://info.summit7systems.com/blog/cmmc

Ongoing Monitoring & Maintenance

Continuous monitoring and maintenance are vital parts of any cybersecurity program and are essential if one wishes to sustain conformance with NIST 800-171. So how do we remain compliant and monitor conformance with our established program? We need to ensure that we have a good balance of policies, standards, and technology. You may be thinking, how will a policy ensure ongoing monitoring and maintenance, but bare with me, and will all make sense in this next paragraph.

Policy & Standards

Policies and standards give us two vital things. Policies reflect management's expectations, direction, what we should comply with, and what standards can be leveraged to enforce and measure compliance with the policy. Standards are mandatory requirements that provide more specificity to how technologies, processes, and procedures should be utilized to comply with the organization's policy. Standards essentially provide us with the ability to interpret a vague policy by giving it more context.

For example, a policy can mandate that the organization leverage strong authentication methods and passwords to prevent unauthorized access and enforce nonrepudiation. The policy is not very specific and allows room for the standards to flex and support the intent of the policy. For example, the organization can leverage the policy to create specific standards for various technologies and platforms and how they should be configured to support the policy (Active Directory, AWS, Azure, Microsoft, Linux, and more.) Now that I've bored you to death describing the importance of policies and standards, let's move on to the fun part, the technology!

Leveraging Technology to Support Policy and Standards

Endpoint protection and configuration management tools can enable us to detect, prevent, and correct unauthorized modifications, configuration drift, software installations, and unauthorized access. Daily vulnerability scans, endpoint detection, and response tools, SIEM, and patch management are great logical controls that can assist us throughout this endeavor. However, technical controls are not enough. Policies, standards, and procedures (SOPs) are needed to balance out the pitfalls of technology and vice versa. Lastly, audit/assessments should be conducted when significant changes occur within the organization or infrastructure and based on an organizationally defined frequency.

Conclusion

As you can see, defining, establishing, and maintaining a cybersecurity/compliance program is not an easy task and requires a diligent set of individuals who are committed to maintaining and improving organizational processes on a continual basis. There is a strong need for effective governance via board-level sponsorship and clear awareness of the enterprise’s goals and objectives throughout the organization. The inability to prepare for regulatory and statutory requirements typically stems from a lack of business alignment and a clear prioritization of objectives throughout the organizational hierarchy. Effective governance can influence desired behavior, assist with the identification of critical assets, and create value for the organization's stakeholders. If you want to collaborate or want to have further discussions around Cybersecurity/Compliance and Risk programs for NIST, ISO, GDPR, or other applicable frameworks, please feel free to contact me via LinkedIn @ linkedin.com/in/reginaldblakecurtis. I'm always up for a great conversation around cybersecurity!

How to Comply with NIST 800-171 by Reginald Blake Curtis is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Based on a work at https://www.dhirubhai.net/in/reginaldblakecurtis/.

References

7 Steps to NIST 800-171 Compliance by Blake Curtis

7 Steps to NIST 800-171 Compliance with descriptions by Blake Curtis

Blake Curtis' NIST 800-171 Holistic 3 Step Process Image

CMMI Institute: An ISACA Enterprise: CMMI Levels of Capability and Performance(2019). Retrieved from https://www.cmmiinstitute.com/learning/appraisals/levels

DFARS Protection Requirements retrieved from https://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm

FIPS 199: Standards for Security Categorization of Federal Information and Information Systems(2004). Retrieved from https://csrc.nist.gov/publications/detail/fips/199/final

FIPS 200: Minimum Security Requirements for Federal Information and Information Systems(2006). Retrieved from https://csrc.nist.gov/publications/detail/fips/200/final

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) (2016). Retrieved from https://na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf

ISACA: Information Systems Audit & Assurance Guidance (2019). Retrieved from https://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/Pages/default.aspx

NIST Functions Image @ https://www.nist.gov/node/1311101/components-framework

NIST SP 800-18R1: Guide for Developing Security Plans for Federal Information Systems(2006). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final

NIST Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations(2016). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

NIST SP 800-171B(Draft) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets(2019). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-171b/draft

NIST 800-171 Compliance Log by Blake Curtis

Policy, Procedures, & Evidence for 3.4 Configuration Management Example by Blake Curtis

NIST 800-171 Compliance Log | Overall Competition screenshot by Blake Curtis

Security Assessment Report (SAR) template part 1 by Blake Curtis

Security Assessment Report (SAR) part 2 by Blake Curtis

SSP Template by Blake Curtis

What is the Cybersecurity Maturity Model Certification (CMMC)?(2019). Retrieved from https://info.summit7systems.com/blog/cmmc

#infosec #cobit5 #cism #cybersecurityhub #anchordown #vandy #csh #cgeit #crisc #isaca #isc #cyber #cybersecurity #threats #vulnerabilities #cve #cvss #crowdstrike #rapid7 #insightvm #microsoft #linux #unix #thirdpartrisk #risk #riskmanagement #iia #cia #crma #ceh #eccouncil #sans #giac #api #secdevops #devops #aws #azure #cloud #cloudsec #cloudsecurity #togaf #sabsa #cissp #cisa #powerbi #qualsys #vm #kubernetes #rhel #centos #hyperv #sccm #scom #grc #compliance #pci #soc2 #soc2type2 #privacy #compliance #grc #gdpr #ccpa #windows #apple #vanderbilt #soexcited #vuit #isaca50 #wgu #connect #elearning #steelers