Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are continuing the series on the National Institute of Standards and Technology, otherwise referred to as NIST. We are going to jump in to the NIST Special Publication 800-171 revision 2. This one doesn’t have a unique acronym like the CSF or the RMF, so we’ll just have to call it the 800-171 the whole time.
So, what is the NIST 800-171? The NIST 800-171 is a security-focused publication that was recently revised in 2020, hence the revision number 2. This special publication was created with the mindset that the federal government deals with many external vendors, partners, service providers. The federal government wanted some sort of document that helped these external entities protect any and all sensitive data. So, the 800-171 was developed.
NIST 800-171 is a 101 page document, but the main source of content extends only to page 43. The rest of the document is appendices that provide excellent supplementary material. The NIST 800-171 is like a little brother to the NIST 800-53, which is the publication that government agencies need to adhere to with regards to security controls and the protection of the broad gambit of data from unclassified through classified. We’ll dive into that particular publication during a later TomCast.
Ok, back to the 800-171.When an organization wishes to become, or remain, part of the supply chain to the federal government, they need to be in compliance with a couple of regulations. These regulations are known as the Federal Acquisition Regulation (FAR), and the Defense Federal Acquisition Regulation Supplement (otherwise known as DFARS). F.A.R. is basically the oversight for all acquisitions and contracting procedures that have to do with the federal government. DFARS is administered by the Department of Defense, but it reaches far beyond just that particular agency.
So what did all of that information mean? Well, in order to be compliant with F.A.R. and DFARS, an organization must meet the requirements of NIST 800-171. So, as you can see, following the procedures and processes outlined in the NIST 800-171 can be greatly beneficial to your organization not just to protect sensitive data, but to also be in compliance with federal regulation so one can start to do business with, or continue to do business with the federal government.
Now, exhibiting full transparency, the Department of Defense did release the Cybersecurity Maturity Model Certification (also known as the CMMC) program, which is related to the 800-171. So, the 800-171 is no longer the benchmark of compliance for doing business as a Department of Defense contractor. But, what if your organization doesn’t have any inclination to do business with the federal government? Does the 800-171 even matter at that point?
Remember, the whole title of the NIST 800-171 is for “protecting controlled unclassified information in nonfederal systems and organizations”, so yes, there is a definite benefit for an organization to implement the processes and procedures even if no dealings with the federal government are on the radar. The publication addresses target audiences, addresses basic fundamentals of security and data protection, and the development of security requirements before it gets into the meat of the focused material, protection of sensitive data in Chapter 3.
Chapter 3 is the core of the publication. This provides introductions to the main security control families and informs the reader of what each control is looking for and how to meet the requirements. Even though the main body of the publication is only 43 pages, to give you an idea on the depth of Chapter 3, that chapter begins on page 9. Oh, and yes, there are only three chapters. So, Chapters 1 & 2 give the introductory information needed before diving into the good stuff.
The appendices, as mentioned earlier, contain excellent supplemental material. Appendix A contains information on other NIST publications that your organization might find useful. Appendix B has a handy glossary of terms, Appendix C has a list of useful acronyms (because, come on…who knows all of them? It’s handy to have a reference for those from time to time). Remember the NIST CSF? Appendix D shows how to map the 800-171 control set with the CSF.
So, again, like I have mentioned in the past couple of TomCasts when it comes to the NIST publications; open up your preferred web browser, utilize your preferred search engine and look up the NIST 800-171. These are free publications that are typically in PDF format, so dang near any system can view them. Check it out! Also, if you are interested in determining how to get compliant, GuardSight can help! The cyber warriors within the GuardSight organization are very familiar with the NIST 800-171 compliance requirements.
We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!