CMMC

Understanding NIST 800-171B

Graeme Messina
September 1, 2020 by
Graeme Messina

Introduction

Most people looking to get into cybersecurity in both governmental and private agencies will need to know how crucial record and data handling is. In order to get into such a position, candidates will need to show proficiency indicating that they know how Controlled Unclassified Information (CUI) should be handled. NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) was distributed to help with protecting CUI.

We will delve further into the NIST SP 800-171 and look at what these controls are meant to do, who they are aimed at and how they should be implemented. We will also briefly touch on the NIST 800-53 and its subsequent revisions, and briefly mention where it is used and who it was intended for. All of this information is also available from the NIST website here.

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

What is NIST?

The National Institute of Standards and Technology (NIST) is an organization that was first formed back in 1901. The NIST first started out as a physical science laboratory but has since morphed into a part of the US Department of Commerce. From here, the NIST is able to measure and understand a whole host of technologies, including cybersecurity. 

Markets all have regulators within them, and the relationship with regulators and industries is sometimes adversarial in nature. The NIST is not a regulatory agency, which means that they are able to take a cooperative stance with industries when developing frameworks and strategies. This collaboration often leads to innovations within the sectors that the NIST operates in, making it a win for everyone involved.

NIST compliance

In order to be NIST-compliant, there are a few things that you need to understand first. NIST offers guidance and offers various standards across many different industries, but the one we are most interested in is their extensive knowledge of federal agency information systems.

The standards that the NIST sets forward are not only followed by all government agencies, but by businesses as well. This is because the NIST standards take all of the best real-world security practices and merge them all together. We can see this in the NIST Cybersecurity Framework, NIST SP 800-171 and NIST 800-53.

The general rule of thumb is that when an agency complies with an NIST guideline, they will ensure compliance with multiple regulations. Regulations such as HIPAA, FISMA and SOX are some good examples of what the NIST helps agencies to comply with. There are additional benefits to becoming NIST-compliant as well.

The primary benefit of becoming NIST-compliant is that it helps to (almost) guarantee that an organization or department’s IT infrastructure is compliant with cybersecurity best practices and is therefore secure. We say “almost” because even NIST compliance cannot guarantee complete data security. Not all data is created equal, so there are levels of sensitivity that must be attributed to each tier and classified accordingly.

NIST encourages organizations to apply a scoring system to their various data types and then apply the appropriate protections in the order of sensitivity. This means that private data such as finances and personal information would receive more stringent measures than general communications such as memos and department announcements, which are less sensitive.

What is NIST 800-171?

NIST 800-171 is a part of the security controls that we mentioned earlier, but they are more specific to the classification of Controlled Unclassified Information (CUI) in non-federal information systems and organizations. An easy way to think of the data that is handled by this regulation is that it is sensitive but not classified. NIST 800-171 is part of a larger cybersecurity effort that was implemented by the FISMA (Federal Information Security Management Act) of 2003.

The main logic behind this move was to ensure that unclassified data that isn’t part of the federal government is still protected by additional security measures. It also defines how data should be stored and accessed, which provides consistency and order to the way that information is handled by organizations outside of governmental spheres.

Chapter 3 of the NIST-171 outlines 14 requirements for compliance. We can summarize each section briefly as follows:

  1. Access Control: Which users have access to different data types
  2. Awareness Training: User-specific training for data handling and best practices
  3. Audit and Accountability: Access to files must be logged and users that breach protocols by accessing data without authorization must be identifiable
  4. Configuration Management: All systems must be documented and change controls must be in place
  5. Identification Authentication: Which users have access to data and how the permissions are managed. This also covers how users authenticate to gain access to the systems and data
  6. Incident Response: The steps that will be taken if a security incident or breach occurs
  7. Maintenance: This step details when maintenance occurs, what the schedule looks like and who is responsible for it
  8. Media Protection: Information that is stored needs to have detailed steps about how it is backed up and where it is backed up to. This also includes which users have access
  9. Physical Protection: Personnel that have access to specific systems and networks, as well as physical access to hardware such as server rooms
  10. Personnel Security: The screening process for people before they are granted access to data
  11. Risk Assessment: Any safeguards that are in place need to have been tested and assessed. If any lapses in security are found, then improvements must be made to remove those risks. Users and systems need to be verified regularly to maintain security
  12. Security Assessment: Periodic assessments must be carried out to check if the security processes and procedures that are still in place are still
  13. System and Communications Protection: Monitoring and data controls such as data loss prevention are covered in this section. Data coming into the organization and leaving the organization must be monitored to ensure security
  14. System and Information Integrity: This section details how quickly threats can be found and mitigated

What is NIST 800-53?

Unlike the NIST 800-171 guideline which concentrates on CUI data for organizations outside of the federal government, the NIST 800-53 concentrates on the IT systems within the federal government. The NIST 800-53 framework details how data can be transmitted, processed and stored.

This framework has been updated several times, with the NIST 800-53 Rev. 4 in 2013 and now the NIST 800-53 Rev. 5, which is currently being drafted. You can find out more information about the latest revision here. The changes that are made to this framework reflect the ever-changing landscape of computing, with newer devices like smartphones and tablets needing extra attention.

The NIST SP 800-53 gives departments access to additional controls and safety mechanisms that help to maintain cybersecurity best practices such as confidentiality, integrity and availability. 800-53 is designed to work in conjunction with SP 800-37, which is the guideline that sets out controls for agencies and contractors that need to implement risk management.

Each of the controls is rated with an impact score. The scores are Low, Moderate and High, depending on the severity and scale of the impact that is caused. The controls themselves are segmented into 18 different groups, which can be found in the guideline right here. This framework is very detailed and gives the reader a very clear understanding of what is expected of them in the document.

Conclusion

The NIST has created some robust frameworks over the years, giving both government and private industries the tools and knowledge to comply with cybersecurity best practices. Thanks to the formal and structured approach of these methodologies, organizations both private and federal are able to maintain safety, security and compliance when working with both classified and sensitive data, depending on the area in which they operate.

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

 

Sources

  1. NIST Special Publication 800-53, NIST
  2. Draft NIST Special Publication 800-53 Revision 5, NIST
  3. About NIST, NIST
  4. Final Project Draft SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST
Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.