NIST 800-171 Compliance

 

Organizations that work with or provide services to US federal agencies often have access to Controlled Unclassified Information (CUI), which includes any data in non-federal systems and organizations that isn’t classified by federal laws or regulations yet can be considered sensitive (see the full list of CUI categories).

 

What is NIST 800-171? NIST Special Publication 800-171 is a companion document to the widely applied NIST SP 800-53 security standard. The National Institute of Standards and Technology (NIST) issued this special publication to help government contractors working with CUI ensure proper protection of data. 

 

NIST 800-171 is mostly used as a basis for meeting the requirements of the Defense Acquisition Federal Regulation Supplement (DFARS), particularly DFARS clause 252.204-7012 that went into effect in 2017. However, the recommendations of this cybersecurity standard apply to contractors and subcontractors of any federal agency.

 

The current standard is NIST SP 800-171 Revision 2. Its predecessor — NIST SP 800-171 Revision 1 — will be withdrawn on February 21, 2021.

 

Here are the main entities and organizations that need to comply with NIST 800-171:

NIST 800-171 compliance

NIST 800-171 compliance allows these entities to better mitigate the risk of insider threats and reduce the risk of data breaches. In turn, non-compliance with NIST SP 800-171 may result in loss of contracts with a federal agency and ensuing financial losses and reputational damage.

 

NIST 800-171 vs NIST 800-53

 

These two information security standards have several meaningful differences:

 

NIST 800-171 vs NIST 800-53
Characteristic NIST SP 800-171 NIST SP 800-53

Required for compliance with

DFARS

FISMA

Applies to

Contractors of federal agencies

Federal agencies

Provides security guidelines for working with

Controlled unclassified information (CUI)

Information systems of government institutions

Security control families covered

14

18

 

Still, many security controls in FISMA and DFARS overlap. Organizations that are already compliant with one of these regimes are likely to already meet most requirements of the other.

NIST 800-171 compliance

The Ekran System platform includes a wide selection of cybersecurity capabilities that come in handy for complying with NIST 800-171 cybersecurity requirements. In particular, using Ekran System as a NIST 800-171 compliance software, you can implement basic security requirements for compliance with NIST 800-171 in four control families:

 

  • Access Control
  • Audit and Accountability
  • Identification and Authentication
  • Incident Response

 

Thanks to its rich functionality, Ekran System also works as a NIST 800-171 compliance solution that helps you meet the requirements of most derived security requirements within these control families:

 

MEETING NIST 800-171 REQUIREMENTS WITH EKRAN SYSTEM

Control families Required actions Ekran System functionality

Access Control

 

Identification and Authorization

  • Verify user identity and secure critical assets, systems, and accounts with multi-factor authentication.

Identity management

  • Identify users logging in to your network.

    Access Control

    • Employ the principle of least privilege and assign access permissions granularly to specific accounts or roles with role-based access control.

    Privileged access management

    • Ensure that only authorized users can access critical data, applications, and processes.
    • Provide secure remote access to corporate network resources.
    • Enable emergency access to critical systems via one-time passwords.

    Access Control

     

    Audit and Accountability

    • Monitor and control user activity within local and remote sessions on endpoints and servers with the Ekran System Client installed.

    User activity monitoring

    • Monitor and block the connection of external USB devices, including portable storage devices.

    Access Control

    • Terminate suspicious users, applications, and devices in response to triggered alerts.

    Security incident investigation

    Audit and Accountability

    • Record and log all user actions performed on servers and endpoints with the Ekran System Client installed.

    Auditing and reporting

    • Generate standard and customized reports on demand.
    • Export generated reports in a protected format for further forensic analysis.

    Incident Response

    • Configure customized alerts and notifications to respond to cybersecurity incidents and report on them in time.

    Alerts and incident response

    Access Control

    • Protect the confidentiality of data with efficient cryptographic mechanisms.

    Data encryption with AES-256 keys and an RSA-1024 or RSA-2048 algorithm

     

    Along with NIST SP 800-171 compliance, Ekran System makes it easier to comply with laws, regulations, and standards such as HIPAA, PCI DSS, and FISMA. Check out the full list of IT compliance requirements you can meet with Ekran System.