If your organization handles controlled unclassified information (CUI), you know how crucial it is to keep that data protected. NIST (National Institute of Standards and Technology) 800-171 was written specifically for organizations like yours to provide guidance on appropriate handling of sensitive data.
Through 14 categories of data security requirements and 110 separate practices or controls, NIST 800-171 provides your organization with steps you can take to ensure your minimize the risk of compromising your CUI. Use this checklist in your own company, following these steps outlining how to keep your CUI safe.
1. Identify Relevant CUI
Your company might generate massive amounts of data each day, from internal communications to data received from customers and contractors. While you never want your data to be compromised, prioritizing which data you protect first can help you align with NIST 800-171 faster.
Identifying the data that falls into the CUI category allows you to protect the most critical information before you worry about the rest of your data. To make sure you identify CUI correctly, consider the U.S. government definition of CUI:
"Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended." - National Archives
Basically, CUI is sensitive but not classified government data. Identifying where CUI lives in your solutions and on your devices helps you pinpoint the areas that need security measures immediately. This can be a tedious process as you will have to conduct a system-wide analysis to find CUI, but doing this work upfront allows you to protect CUI faster in the long-run. Once you have identified CUI, you should separate it from non-sensitive data, condensing the number of locations where CUI is stored.
2. Classify Your Data
Following the identification of your CUI, you should separate it into the applicable CUI categories. There are numerous CUI categories, with subcategories breaking down the types of CUI even further. The main CUI categories include:
-
Critical Infrastructure
-
Defense
-
Export Control
-
Financial
-
Immigration
-
Intelligence
-
International Agreements
-
Law Enforcement
-
Legal
-
Natural and Cultural Resources
-
North Atlantic Treaty Organization (NATO)
-
Nuclear
-
Patent
-
Privacy
-
Procurement and Acquisition
-
Statistical
-
Tax
-
Transportation
Breaking down your CUI into these categories helps you identify any security measures that pertain to a specific category.
3. Develop Baseline Controls
Baseline controls are valuable because they set the standard for how your data will be protected in your organization. These controls should be the foundation on which you build your security plan. They will be expanded upon in alignment with your organization’s specific security needs. Baseline controls will fall under these control families outlined in NIST 800-171:
-
Access Control
-
Audit and Accountability
-
Awareness and Training
-
Configuration Management
-
Identification and Authentication
-
Incident Response
-
Maintenance
-
Media Protection
-
Personnel Security
-
Physical Protection
-
Risk Assessment
-
Security Assessment
-
System and Communications Protection
-
System and Information Integrity
4. Test Baseline Controls
Once you have outlined your security plan, you should implement and test your baseline controls. You should test your security measures to determine if they’re effective enough to withstand the persistent threat of a data breach. Remember that your baseline controls act as a foundational defense against intentional and unintentional data breaches, and they should be strong enough to withstand emerging threats.
5. Continue Assessments to Mitigate Risk
After you have established your baseline controls and implemented the necessary security measures, you need to assess the controls to ensure they mitigate risk. Many companies make the mistake of thinking that risk assessments are completed only once when the security measure is implemented.
Regular, ongoing testing of every aspect of your NIST 800-171 security process is essential for maintaining control of your CUI. When testing reveals a vulnerability, you can take action to remedy any issues, and build up your security efforts to match developing risks.
6. Document Your Organizational Security Plan
Creating and documenting your security plan ensures that you have a well organized and thoroughly compliant security process. A written plan maintains continuity within your organization. Your security experts may be dedicated to your team today, but as current employees leave and new employees are hired, you need to ensure that the strength of your security plan doesn’t waiver.
Keep in mind that you may need to update this security plan to reflect any changes or developments in your security processes. So, if you identify a potential security risk during your control testing and you make adjustments to your controls, those changes need to be updated in your security plan. Assign someone in your organization the task of managing the security plan and regularly updating it.
You should be striving to prevent data breaches, but also have established plans in the even a data breach does occur. Containing the breach and returning operations back to normal as quickly as possible is vital. During your security plan creation, you need to establish guidelines not only focusing on preventing a breach, but also on how to handle a breach if it does occur.
7. Roll Out the Plan across Your Company
NIST 800-171 compliance is not the job of a single individual. It takes dedication from everyone in your organization to maintain compliance. Thus, your security plan should be adequately communicated across your entire company.
As your security plan is shared across your organization, there may be a lot of misconceptions and confusion about security CUI handling practices. For example, if you have employees sending CUI via a non-security email server, you could be in violation of NIST 800-171 guidelines. While every aspect of your security plan may not be applicable to every department, it’s important that all employees have access to the entire plan. Communicate the aspects of NIST 800-171 compliance that are most pertinent to different departments, ensuring that everyone on the specific team understands security expectations.
In the same way that security changes and updates should be reflected in the documentation of your security plan, they should be communicated to your team, as well. When new security measures are implemented, you should communicate updated expectations to your team and ensure they are equipped to follow new guidelines.
8. Monitor Outputs
Finally, the goal of your security plan is to comply with NIST 800-171. You want to mitigate the risk of a data breach, or if a data breach occurs, you want to quickly contain the threat. Continue to monitor the outputs of your security measures, making sure they are performing successfully and keeping you in alignment with NIST 800-171.
Creating reliable, repeatable security processes helps you maintain alignment with NIST 800-171 each day. And tools like a compliant, secure file sharing solution can help, too. A compliant FTP server allows you to store all your CUI in a single protected location. With a file sharing solution that aligns with NIST 800-171, you can minimize the time and effort your team will need to invest in compliance. You can rely on an expertly built file sharing solution to align with NIST standards for you.
Learn more about aligning with DFARS standards. Download this complete DFARS guide now.