NIST 800-171
DFARS 252.204-7012
National Institute of Standards and Technology
Special Publication 800-171.
NIST 800-171 was created specifically to address confidentiality concerns for federal data that resides on nonfederal information systems and organizations. The publication outlines what steps should be taken by nonfederal entities to secure CUI (or Controlled Unclassified Information).
CUI is non-classified information that requires safeguarding or disseminating controls by the government.
Claiming Compliance
Unlike many other regulatory frameworks, claiming compliance with NIST 800-171 does not require a 3rd party audit. Self-attestation, or simply stating your compliance posture, is sufficient. So, what does it take to claim compliance? Less than you think. Clearly the intent of the standard is to encourage organizations to fully implement all 110 requirements, but the actual publication contains the following:
“Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats…
Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented…
When requested, the system security plan (or extracts thereof) and the associated plans of action for any planned implementations or mitigations are submitted to the responsible federal agency/contracting office to demonstrate the nonfederal organization’s implementation or planned implementation of the security requirements.”
In no uncertain terms we see that the standard allows for deficiencies, provided there is a plan to fully implement the requirements in the future. This scenario has led many to criticize NIST 800-171, since an organization can technically produce a barebones System Security Plan, plus a remediation plan for every requirement and legitimately claim compliance. Despite this massive loophole, NIST 800-171 compliance remains in force on many defense contracts and subcontract via a contract clause referencing DFARS 252.204-7012.
- System Security Plan
-
The System Security Plan is the foundation of NIST 800-171 compliance.
According to the standard it must contain, at a minimum, the following content:
“The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems…
Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.” - Plans of Action & Milestones (POA&Ms)
- POA&Ms describe why an organization cannot satisfy a requirement, the steps planned to address the shortcomings, and a date that the plan will be executed.
- NIST 800-171 Scoring
- Until late 2020, producing a System Security Plan and Plans of Action was sufficient. A new rule kicked in on November 30 requiring contractors to submit a score that tracks how many of the requirements are actually implemented prior to contract award. The score is generated by using the NIST SP 800-171 DoD Assessment Methodology while reviewing your System Security Plan and reflects how well many of the requirements you’ve implemented.
Supplier Performance Risk System (SPRS)
The SPRS is the federal database where supplier information is stored, including NIST 800-171 scores. Contracting officers will verify that your company has a current (within the last 3 years) score submitted in the system prior to contract award. In some cases, the term “Assessment” may be referring to this score.
The score ranges from -203 to 110.
Without an SSP, you will be unable to perform this scoring assessment.
An important note here: Whether you are a subcontractor or a large firm dealing with top-secret information, you are likely required by your contract to submit a score.
Ongoing Compliance
Once your assessment is done, plans to remediate any unfinished requirements are in place, and you’ve submitted your score, it’s time to move into the maintenance phase.
Your documentation needs to be updated at least annually and your score updated in SPRS no longer than every three years. 800-171 has been described as a “Living Document“, so don’t plan on seeing this fall by the wayside anytime soon.
Let’s Recap
There are basically 5 steps your organization needs to be successful.
- Assess the environment where CUI is stored against the 800-171 requirements.
- Document findings and generate a System Security Plan & Plans of Action.
- Calculate your score using your SSP and submit that score to the federal government.
- Remediate the requirements you don’t satisfy by changing configurations, deploying solutions, or updating your company policies.
- Monitor your organization and update your documentation periodically to accurately reflect your security posture.
How We Help
ComplyUp’s NIST 800-171 Scoring Methodology Tool
This free tool lets you click your way to an accurate score than can be submitted directly to the SPRS.
Free NIST 800-171 Scoring Tool
ComplyUp’s Assessment Platform
Our platform helps you work through an assessment from start to finish, and auto-generates your System Security Plan and POA&Ms as a formal Microsoft Word document.
Your 800-171 score is also calculated for you.
Third-Party/MSP Support
If this process seems overwhelming or you need guidance specific to your situation, an MSP would be happy to help and can assist in the questions that arise.
Find your local service provider for NIST 800-171 and CMMC support on our Support Marketplace.
Getting It Done
If you have a solid background in IT (or access to someone that does) and a willingness to study and digest the standard, there’s a good chance you can tackle this on your own without software or support. Allocate plenty of time for research, finding templates and drafting documentation.
Prefer to skip all that?
Our Assessment Platform can help you understand the requirements, produce your documentation and put NIST 800-171 behind you. Give us 30 days to show you how easy this can be.
3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.3 Control the flow of CUI in accordance with approved authorizations.
3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
3.1.8 Limit unsuccessful logon attempts.
3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
3.1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.
3.1.11 Terminate (automatically) a user session after a defined condition.
3.1.12 Monitor and control remote access sessions.
3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
3.1.14 Route remote access via managed access control points.
3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.
3.1.16 Authorize wireless access prior to allowing such connections.
3.1.17 Protect wireless access using authentication and encryption.
3.1.18 Control connection of mobile devices.
3.1.19 Encrypt CUI on mobile devices.
3.1.20 Verify and control/limit connections to and use of external information systems.
3.1.21 Limit use of organizational portable storage devices on external information systems.
3.1.22 Control information posted or processed on publicly accessible information systems.
3.2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
3.2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
3.3.3 Review and update audited events.
3.3.4 Alert in the event of an audit process failure.
3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
3.3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
3.3.7 Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
3.3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.
3.3.9 Limit management of audit functionality to a subset of privileged users.
3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.
3.4.3 Track, review, approve/disapprove, and audit changes to information systems.
3.4.4 Analyze the security impact of changes prior to implementation.
3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
3.4.9 Control and monitor user-installed software.
3.5.1 Identify information system users, processes acting on behalf of users, or devices.
3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
3.5.5 Prevent reuse of identifiers for a defined period.
3.5.6 Disable identifiers after a defined period of inactivity.
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 Prohibit password reuse for a specified number of generations.
3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
3.5.10 Store and transmit only encrypted representation of passwords.
3.5.11 Obscure feedback of authentication information.
3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
3.6.3 Test the organizational incident response capability.
3.7.1 Perform maintenance on organizational information systems.
3.7.2 Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in the information system.
3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization.
3.8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
3.8.2 Limit access to CUI on information system media to authorized users.
3.8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse.
3.8.4 Mark media with necessary CUI markings and distribution limitations.
3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
3.8.7 Control the use of removable media on information system components.
3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.9 Protect the confidentiality of backup CUI at storage locations.
3.9.1 Screen individuals prior to authorizing access to information systems containing CUI.
3.9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
3.10.2 Protect and monitor the physical facility and support infrastructure for those information systems.
3.10.3 Escort visitors and monitor visitor activity.
3.10.4 Maintain audit logs of physical access.
3.10.5 Control and manage physical access devices.
3.10.6 Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).
3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
3.11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
3.11.3 Remediate vulnerabilities in accordance with assessments of risk.
3.12.1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.
3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
3.12.3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
3.13.3 Separate user functionality from information system management functionality.
3.13.4 Prevent unauthorized and unintended information transfer via shared system resources.
3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.
3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
3.13.10 Establish and manage cryptographic keys for cryptography employed in the information system.
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
3.13.13 Control and monitor the use of mobile code.
3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
3.13.15 Protect the authenticity of communications sessions.
3.13.16 Protect the confidentiality of CUI at rest.
3.14.1 Identify, report, and correct information and information system flaws in a timely manner.
3.14.2 Provide protection from malicious code at appropriate locations within organizational information systems.
3.14.3 Monitor information system security alerts and advisories and take appropriate actions in response.
3.14.4 Update malicious code protection mechanisms when new releases are available.
3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
3.14.6 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
3.14.7 Identify unauthorized use of the information system.
(Limited Features)
14 800-171 Family-Specific Policies
Multiple Users
POA&Ms
Progress Visualization
2FA
Task Assignment
SSP Revision History
Bottom Line – We couldn’t decrypt your data if we wanted to.
NIST 800-171 is a list of 110 requirements regarding cybersecurity. To claim NIST 800-171 compliance you need to assess your organization against each of the requirements, formally document how you meet each requirement, and plan to make changes to your IT systems and processes as necessary to resolve any deficiencies you discovered during the assessment.
You’ll need to be able to present 3 items to claim compliance to NIST 800-171:
- A System Security Plan
- Plan of Action and Milestones
- Your SPRS score
Controlled Unclassified Information (CUI) is the data the government wants you to protect. You may have access to it for manufacturing items used by DoD or for executing a services contract. They believe its sensitive enough to warrant specific cyber defenses to keep it safe.
A System Security Plan is a document that shows how you’ve responded to each of the 110 controls/requirements in NIST 800-171. It should outline system boundaries, system interconnections and responses to the controls. This, essentially, means that you’ll need to respond to each requirement as either Implemented, Not Implemented, Not Applicable or Partially Implemented. Once you have given the control a status, you’ll need to describe why you selected that status.
If the control is implemented, then describe how your organization meets the requirement.
If the control is not implemented, then you’ll need to create a POAM for that requirement.
A POAM is a Plan of Action and Milestones.
When you find a deficiency, or a requirement that your organization does not currently meet, then you’ll need to create a plan to get that deficiency remediated. That plan is your POAM. It shows that you have acknowledged the deficiency and have a good plan for getting the requirement implemented. POAMs will consist of the reason for the deficiency, plans to correct the deficiency and a realistic timeline of when those plans will be completed.
You’ll need both your System Security Plan and Plan of Actions and Milestones to claim compliance to NIST 800-171.
Yes.
The DFARS clause 252.204-7012, which contains the requirement for compliance with NIST, flows down from the prime to the subcontractors. In fact, even if you’re a sub and you have other subs underneath you, you’ll need to require NIST compliance of your subs as well.
First, you’ll need to identify what CUI or FCI you are receiving from the DoD or prime. This will help you to “scope” your environment out. This, often, is easier said than done. You may need to consult with your contracting officer or prime contractor to properly identify this sensitive information.
Debatably, scoping is the next step in the NIST process. Identify the IT systems that need to be assessed. It is possible your network is split up into different sections. Maybe your office computers are on an entirely different network than your production or manufacturing servers (where the CUI is processed). If so, you may be able to focus your assessment on the production servers exclusively.
Once you’ve “scoped” out the environment(s) (or system) that needs assessed, you’ll need to complete a gap assessment of that environment(s). Start by working your way through each of the requirements, one by one. The requirements are identified in Section 3 of NIST 800-171. They’re broken down into 14 families. Read the requirement, consider your environment, and work out a response. If the requirement is implemented, you’ll need to document how you’ve implemented it. If it is “Not Implemented” you’ll need to create plans on how you intend to remediate the deficiency.
Then, when you have conducted your gap assessment, you’ll need to score that assessment using the DoD scoring algorithm. This will give you a score of between -203 and 110. This score, along with some information on your System Security Plan and POAMs, will need to be entered into the SPRS system.
You’ll need to conduct a basic assessment of NIST 800-171. This will require you to answer implemented, not implemented, or partially implemented to each of the 110 requirements. You’ll then need to score those answers against the DoD scoring algorithm. Each requirement is weighted separately. The lowest score you can have is -203 with the highest being 110.
There is no failing score and there is no passing score. The only requirement that hints at failing is the requirement to produce a System Security Plan. If you do not have a System Security Plan created, then you will have to enter a score of Not Available (not technically failing but certainly not complying). So, in order to comply with NIST 800-171 you’ll need your SPRS score, a System Security Plan and a Plan of Action and Milestones.
NIST 800-171 is the current requirement in contracts containing the DFARS clause 252.204-7012. CMMC is positioned to start replacing NIST 800-171 in contracts as soon as an official rule is made.
CMMC contains 3 levels of certification ranging from “basic cyber hygiene” to “advanced”. NIST 800-171 is comparable to CMMC Level 2, as far as the requirements go. All 110 controls for NIST 800-171 can be found in CMMC Level 2. Essentially, if you are 100 percent implemented on NIST 800-171 then you are a good bit of the way done with CMMC Level 2.
CMMC and NIST 800-171, while very similar, are different frameworks. The current DFARS clause requires compliance with NIST 800-171, not CMMC. They’re different frameworks that require different documentation. When you enter your information into the SPRS it is asking for a score of your NIST assessment as well as whether or not you have a NIST System Security Plan. Also, it’s good practice to get compliant with NIST first as it is the current requirement but also because as you work your way through NIST, you are also working towards CMMC L2 certification (being that you can map the 110 controls in NIST to CMMC L2).
