Over the past several years, high-profile data breaches have compelled the U.S. government to assess its ability to protect sensitive information, particularly when that information resides within the IT systems of contractors doing business with the government. Learn the basics of NIST SP 800-171 and how Deltek Costpoint Cloud solutions may help you meet the new government security requirements.
What is NIST SP 800-171?
In June 2015, the National Institute of Standards and Technology (NIST) published a report called, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This special publication, known as NIST SP 800-171, provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when it is handled by nonfederal organizations. NIST SP 800-171 places significant responsibility on contractors that do business with the government, by specifying cybersecurity safeguarding controls they must put in place around their organization, systems, and system components where CUI is handled.
NIST SP 800-171 Rev 1 was published in December 2016 and was last updated in February 2018. The full report can be downloaded here: https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final.
What is Controlled Unclassified Information (CUI)?
Established by Presidential Executive Order 13556, CUI is unclassified information that the U.S. government has deemed necessary to safeguard, since it directly impacts the government’s ability to carry out its designated missions and business operations. CUI can exist in many data formats such as paper documents, electronic files, and digital media. If you provide services or products to the U.S. federal government, you should first understand if you store, process, or transmit CUI and, if so, provide evidence as to how your organization is protecting it. This means you should be prepared to provide documentation describing your technical solutions, policies, and evidence of being able to detect and respond to incidents related to the security of CUI. Learn more about CUI.
Why is NIST SP 800-171 important for CUI?
NIST SP 800-171 is really important because it provides a disciplined and structured approach for handling and protecting CUI that is shared as federal agencies and organizations work together. As organizations provide more services online, store data digitally, and increasingly rely on contractors and other third parties to outsource technology services, the threats facing information security have increased. NIST SP 800-171 contains 14 security controls to help minimize these cybersecurity risks.
Learn How Deltek Costpoint Cloud Solutions
May Help You With NIST SP 800-171
What are the 14 security controls in NIST SP 800-171?
Following is a list of the 14 security controls, also called “Security Requirement Families” that contractors should implement for compliance with NIST SP 800-171. A brief description follows. For more detail see chapter 3 of the NIST SP 800-171.
1. Access Control
Describes who is authorized to access information and how access should be limited to authorized users.
2. Awareness and Training
Ensures that managers, system administrators and users of information systems with CUI are made aware of security risks, and that the appropriate people have been properly trained.
3. Audit and Accountability
Ensures information system logs can track authorized and unauthorized access, and can trace/identify users so that they can be held accountable for actions.
4. Configuration Management
Describes how to establish and maintain baseline configurations and inventories of network and information systems, and how to document change management processes throughout the system development lifecycle.
5. Identification and Authentication
Describes who is authorized to access CUI and describes authentication/verification methods for accessing resources.
6. Incident Response
Describes the operations for dealing with data breaches or security threats and the process for reporting incidents.
Describes maintenance done on information systems and the necessary controls on tools and personnel performing that maintenance.
8. Media Protection
Describes how media containing CUI (both digital and paper) should be protected from unauthorized users and how media containing CUI should be handled for disposal or release for reuse.
9. Personnel Security
Describes how users should be screened prior to granting access to information systems containing CUI, and how systems should be protected during personnel changes such as terminations or transfers.
10. Physical Protection
Describes how physical access to data centers, information systems and storage systems containing CUI should be limited to authorized users.
11. Risk Assessment
Describes operational risks and how they should be periodically assessed.
12. Security Assessment
Describes how to assess the effectiveness of security controls on an on-going basis and how to address inefficiencies to limit vulnerabilities.
13. System and Communications Protection
Describes the use of secure design, development, and engineering principles to promote effective security within information systems. Also describes how to monitor, control, and protect information transmitted or received by organizational information systems.
14. System and Information Integrity
Describes process for monitoring and responding to information system flaws and vulnerabilities in a timely manner.
- Business Development
- Business Infrastructure
- Contract Management
- Cost Management
- Costs and Expenses
- Deltek Clarity
- Deltek Costpoint
- Deltek Insight
- Earned Value Management
- Enterprise Resource Planning
- Financial Management
- Firm Management
- Government Contracting
- Human Capital Management
- KPIs and Analytics
- Project and Portfolio Management
- Project Management
- Resource Planning
- Risk Analysis
- Scheduling and Planning
- Small Business
- Talent Management
- Time and Expense Management