In my previous post, I covered some aspects of situational awareness for NIST SP 800-171 and how it applies to organizations that serve the Defense Industrial Base (DIB). In this post, I will dig into the NIST SP 800-171 itself. For those interested, NIST is the National Institute for Standards and Technology. It is part of the United States Department of Commerce. The function of NIST in the context of cybersecurity is to research, develop, and publish standards and guidance for specific cybersecurity use cases. NIST Special Publication (SP) 800-171 Rev.2 is titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
This leads us to the crux of the issue. Data. Whenever I consult with customers, the first area I explore is the type of data that is critical to their organization. In order to effectively secure data, you have to know why it is critical, how it is used, and where it is stored. NIST SP 800-171 is written with specific data in mind: Controlled Unclassified Information or CUI. Per the National Archives and Records Administration (NARA) Glossary: “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information…” Does your organization handle CUI?
A quick and simple test for this is to look at your federal contract or subcontract. If the contracting organization included the DFARS Clause 252.204-7012 in your contract, you are subject to NIST SP 800-171. If you are still unsure and you want to understand CUI further, the DoD recently published a quick reference guide for CUI: https://www.dodcui.mil/Portals/109/Documents/Desktop%20Aid%20Docs/21-S-0587%20cleared%20CUI%20Quick%20Reference%20Guide%20Dec%202020.pdf?ver=MzU7WWsXpkBKMvpz5jX-SA%3d%3d. The chart in the upper left-hand corner of the second page is a great litmus test on whether you are storing and handling CUI.
Now that we know you are handling CUI, here are some details about what you need to do. First, is to get your score. In an upcoming post, I will be detailing how to score the NIST SP 800-171 and relevant considerations. Once you have determined your score, there are two items that you must have in place. The first is a Plan of Action and Milestones (POAM). The POAM is a document that details every NIST SP 800-171 practice for which your organization is deficient. For each deficient practice, you must include a plan of how you will bring it into compliance and a target date for doing so. In practice, the POAM is a remediation plan of how your organization intends to become fully compliant with NIST SP 800-171. The second item you must have in place is a System Security Plan (SSP). The SSP is a document that describes the system boundary, the operational environment, how security requirements are implemented, and the relationships with or connections to other systems. The SSP is critical documentation of not just your environment, but how your organization has applied specific security controls as it relates to NIST SP 800-171.
To wrap it all up, for current compliance when handling CUI, you need to have the following:
- Your NIST SP 800-171 score (X out of 110).
- Your POAM, showing how you will increase your score.
- Your SSP, documenting your environment and how you have implemented your controls.
-David Malicoat Founder, BAMCIS Cyber