What Is a NIST 800-171 Compliance Audit?

What Is a NIST 800-171 Compliance Audit? We talk about the purpose of these security controls and give a brief rundown of what’s involved.

Brian Lothridge
Nov 29, 2021

Cyber Security, What Is a NIST 800 171 Compliance Audit?
Fingerprint, Computer, Technology, Cyber Security

Your company offers a product or a service that would be beneficial to the United States government. 

You’d love to win a federal government contract but your cybersecurity is, well … lacking.

That’s where the National Institute of Standards in Technology (NIST) 800-171 compliance audit comes in. NIST security requirements are standards the federal government has created for the private contractors they work with. 

These were developed over the years to protect sensitive information from falling into the hands of hackers through attacks like ransomware. 

Below, we talk about the purpose of NIST 800-171 security controls and give a brief rundown of what’s involved.

A NIST 800-171 Summary

The NIST 800-171 compliance audit goes back to the Obama administration, when Executive Order 13556 was signed in 2010. This order required all federal agencies to ensure the safety of sensitive, but unclassified, information. It also created a policy for data sharing and transparency that all agencies had to follow. 

Then a few federal data breaches hit, including: 

Cybersecurity quickly became a major concern of the federal government. Congress passed the Federal Information Security Modernization Act in 2014. NIST soon developed NIST 800-53, followed by its companion guide, NIST 800-171

How Long Does a NIST 800-174 Compliance Audit Take?

The length of a NIST 800-171 compliance audit can vary depending on how many security protocols you already have in place and the complexity of the audit. NIST 800-171 security requirements have a few levels of complexity, each building from the previous level. The process can take from several weeks to 18 months or more. 

And, if you don’t have good security protocols already in place, a NIST 800-171 implementation will change everything!

NIST & Safeguarding CUI

NIST protects controlled unclassified information (CUI) from getting into the wrong hands. Essentially, CUI is sensitive information that serves the interests of the U.S. government. This information needs to be secure but isn’t sensitive enough to be declared as classified. 

Types of CUI include information relating to:

  • Privacy 
  • Tax
  • Law enforcement
  • Critical infrastructure
  • Controlled technical information (technical information with military or space application)
  • Financial
  • Intelligence
  • Privilege
  • Unclassified nuclear
  • Procurement and acquisition

Cybersecurity Practices to Keep In Mind

NIST 800-171 standards are complex. However, they essentially come down to four core concepts:

  1. Policy and procedures: There are a lot of written policies that need to be in place to make NIST 800-171 standards happen. These procedures are based on IT policies. For example, you’ll need policies on who has access to sensitive data, how employees are trained, and how new computers and servers are set up. 
  2. Logging: You need to keep logs for antivirus software and firewalls, operating system security events, and server security events. These logs need to be reviewed regularly.
  3. Security: This includes both physical and virtual security. For example, you want to make sure that servers are located in a secure place and that your mobile devices are encrypted.
  4. Plan of Action and Milestones (POAM): You’ll need to create a POAM that’ll guide you through the tasks needed to complete NIST 800-171 compliance. This plan will include the documents and resources required to accomplish each step in a timely fashion.

Cybersecurity Maturity Model Certification Levels

When auditing a contractor for NIST 800-171 compliance, the federal government uses Cybersecurity Maturity Model Certification (CMMC). 

Below, we talk about the first three levels of CMMC, which has 130 controls over 17 categories. Each level builds upon the last. You can view a spreadsheet of the levels with detailed descriptions of each control here.

Level 1

The first level brings us the first six categories:

  1. Access Control: Who has access to CUI? Do you have user accounts properly set up so that you know who has access to what information?

  1. Identification and Authentication: What passwords do you have set up? Ensure there is no password sharing. Track who accesses files and at what time.

  1. Media Protection: Sanitize and destroy hardware before disposal. For example, before getting rid of an aging desktop computer that holds CUI, physically destroy the hard drive.

  1. Physical Protection: Limit access to visitors. Have visitor logs so you know when a visitor arrives and leaves. Ensure they don’t have access to server rooms or wiring closets by escorting them to where they need to be.  

  1. System and Communication Protection: Have two separate networks — one for internal production and one for guest internet access. Control what information comes in and out of your networks. Use a firewall to limit intrusions and spam. Limit where employees can go on the internet. 

  1. System Information and Integrity: Prevent malicious codes (like trojans or spyware) with regular virus scans as well as regular software and operating system updates. 

Level 2

The second level brings us seven new categories:

  1. Awareness and Training: Schedule recurring security training. Educating your end users could be the difference between getting ransomware and not.

  1. Audit and Accountability: Build in systems so that you know who accesses your CUI and at what time. 

  1. Security Assessment Plan: Create a document that outlines how the organization implements its security protocols.

  1. Configuration Management: Build and configure your security from a known baseline. For example, when you implement a new Windows 10 computer on a domain, it needs to at least have virus protection, auditing software, and the latest operating system updates installed.

  1. Incident Response: Conduct ongoing education and improvements to your security to help protect your network. This could be a ticketing system that helps you log and assess incidents.

  1. Maintenance: Create preventative measures that involve maintaining or replacing software and hardware.

  1. Personnel Security: Screen individuals who have access to CUI before giving them access. This includes new employees and vendors. 

  1. Recovery: Make sure you have backups in place and that you’re regularly testing and checking them. 

  1. Risk Management: Assess risk to your company quarterly.

Level 3

The third level brings us two more categories:

  1. Asset Management: Establish procedures for handling CUI. This should include procedures for how to categorize data as CUI and how to enforce access to CUI.

  1. Situational Awareness: Educate yourself about new kinds of threats. Review external sources, such as websites and forums from cybersecurity experts. Sign up for alerts on new cybersecurity threats. 

Need Help With NIST 800-171 Implementation?

Omnis Technologies provides professional IT support in Bradford, Pa., Olean, N.Y., and the surrounding areas. We’ve supported clients who’ve worked through CMMC level 3.

To see what your company needs to do to protect itself and your customers, sign up for a free consultation.
Data Security

Similar posts