National Institute of Standards and Technology Special Publication 800-171
NIST SP 800-171 was created specifically to address confidentiality concerns for federal data that resides on nonfederal information systems and organizations. The publication outlines what steps should be taken by nonfederal entities to secure CUI (or Controlled Unclassified Information).
NIST 800 Compliance
Unlike many other regulatory frameworks, claiming compliance with NIST 800-171 does not require a 3rd party audit. Self-attestation, or simply stating your compliance posture, is sufficient. So, what does it take to claim compliance? Less than you think. The intent of the standard is to encourage organizations to fully implement all 110 requirements, but the actual publication contains the following:
“Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats…Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented…When requested, the system security plan (or extracts thereof) and the associated plans of action for any planned implementations or mitigations are submitted to the responsible federal agency/contracting office to demonstrate the nonfederal organization’s implementation or planned implementation of the security requirements.”
We all see that the standard allows for deficiencies, because all you need to cover gaps is a plan to fully implement the requirements at some point in the future. This scenario has led many to criticize NIST 800-171, since an organization can technically produce a bare bones System Security Plan, and a remediation plan for every requirement and legitimately claim compliance. Despite this massive loophole, NIST 800-171 compliance remains in force on many defense contracts and subcontracts via a contract clause referencing DFARS 252.204-7012.
System Security Plan
- The system boundary
- The operational environment
- How security requirements are implemented
- The relationships with or connections to other systems.
“Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.”
Supplier Performance Risk System (SPRS)
SPRS is the federal database where supplier information is stored, including NIST 800-171 scores. Contracting officers will verify that your company has a current (within the last 3 years) score submitted in the system prior to contract award. In some cases, the term “Assessment” may be referring to this score.
The score ranges from -203 to 110.
Without an SSP, you will be unable to perform this scoring assessment.
Ongoing Compliance
Once your assessment is complete, plans to remediate any unfinished requirements are in place, and you’ve submitted your score, it’s time to move into the maintenance phase.
Your documentation needs to be updated at least annually and your score updated in SPRS no longer than every three years. 800-171 has been described as a “Living Document“, so don’t plan on seeing this fall by the wayside anytime soon.