The National Institute of Standards and Technology (NIST) Special Publication 800-171 provides organizations with guides on how to store, share, and protect controlled unclassified information (CUI). To meet NIST 800-171 requirements, there are four areas where you should focus your efforts – access controls, activity monitoring and management, user behaviors, and data security measures. These are the areas where mistakes could open the door for a data breach.
A common misconception about NIST 800-171 is that you can simply check off some boxes, meet the minimum requirements, and not think about it again. Instead, being NIST 800-171 compliant is an ongoing process that requires you to continuously monitor your security efforts to ensure they’re functioning properly and are strong enough to withstand evolving attacks.
As part of your NIST 800-171 compliance procdesses, you will engage in four repeatable actions:
-
Evaluate - First, you’ll evaluate your current security measures to determine their effectiveness.
-
Establish - Next, you will establish any changes or new processes to close security gaps.
-
Implement - Once changes have been identified, you will integrate them into your systems.
-
Monitor - Finally, you will continuously monitor your systems to ensure you’re complying with NIST 800-171.
The NIST compliance process may require you to build security processes from the ground up, you may need to overhaul your current security process, or it may require you to simply augment the processes you already have in place. To start the processes of applying NIST 800-171 guidelines to your organization, you have three options:
-
Manage compliance measures and security assessments yourself
-
Partner with an independent vendor to outsource your compliance assessment and process establishment needs
-
A hybrid of self-management and vendor support
In this article, you will learn more about what the security assessment entails and how it helps you align with NIST 800-171. Then, you’ll find out how to determine if you should manage this security assessment alone, partner with a vendor, or take a blended approach to NIST compliance.
NIST 800-171 Compliance Assessment
Assessing your security measures, identifying gaps, and making recommendations on how to improve on your secure measures are all vital steps toward NIST 800-171 compliance. Before you can begin your efforts to meet NIST 800-171 compliance standards, you need to understand your compliance efforts today.
Like many organizations, you may have some security measures already in place, like password-protected servers, but you could be facing challenges like lack of uniformity as measures are applied across your organization or outdated systems that don’t withstand today’s security threats.
Conducting an assessment – regardless of whether you or an outside vendor is conducting it – is a three-step process:
Each of the previous three steps can last around 30 days to complete, depending on the size of your organization and the measures you currently have in place. So, if you have a large company and you use company-wide solutions, your assessment could last significantly longer than that of a small to midsize business.
At the conclusion of your assessment, you will have greater transparency into how best to protect your systems and networks from a data breach. This provides a foundation on which you can build the rest of your compliance efforts. In fact, based on the assessment, you may find that you’re closer to compliance than you realize.
What information about your business will be evaluated during the assessment process? If you’re working with a partner, they will focus on how you use, store, and transfer CUI. Your CUI-related processes should be closely evaluated, especially the access controls you have in place (or should have in place) to protect CUI.
Your security policies will also be closely evaluated, both documented and informal. Your IT team can provide information about your current procedures, or if you outsource your IT management to a service provider, they may be involved in the assessment, as well.
The basis for the assessment will be to compare your current operations to the 110 requirements within 14 families outlined in NIST 800-171. For each requirement, your organization will either be fully compliant, partially compliant, or not compliant. Based on the outcome, recommendations will be made on the actions you can take to become compliant.
Once the assessment of your security measures and alignment with NIST 800-171 has been completed, you will have a step-by-step guide of what actions you should take to be compliant. From investing in new hardware to installing new systems with better access controls, there are numerous possibilities for what your compliance actions could involve.
If you are overwhelmed by the amount of work that will be required to meet NIST 800-171 standards, you could always partner with a vendor who will implement the security processes for you. You could also adopt a file sharing solution that is compliant with NIST 800-171. This solution will have security measures in place to protect CUI both when it is stored on the solution and in transit.
Even though your assessment has been completed, the process isn’t over. Your business should regularly be assessed for NIST 800-171 compliance. New lapses in security could develop as hacking capabilities become more sophisticated. Also, security expectations should be regularly communicated to your employees, so they’re fully educated on their responsibilities.
Now, let’s look at your options for who should conduct your security assessment: your internal teams, an outside vendor, or a hybrid of both parties.
Conducting a Self-Assessment
Some companies may choose to conduct a self-assessment of their NIST compliance. Choosing this option saves money, as you don’t have to pay fees to an outside vendor. Although, it will cost your company in dedicated resources.
However, there are some drawbacks. A self-assessment means that the responsibility of identifying security gaps is completely on your organization’s shoulders. And while you may have IT experts on your team, that doesn’t mean they’re experts in NIST compliance.
If you do choose to navigate a NIST 800-171 assessment on your own, there are a number of online resources you can access to help inform the process, including:
You can also connect with the nearest Procurement Technical Assistance Center (PTAC), or if your business is in the manufacturing industry, you can contact your local Manufacturing Extension Partnership (MEP).
Partnering with an Outside Vendor
If you want to avoid the hassle of assessing for NIST compliance yourself, partnering with an outside vendor is the best option. This means you don’t have to dedicate manpower to the assessment process, though you will have to pay the vendor a consulting fee.
You also minimize the chance for error. These vendors are experts in NIST compliance, and know exactly how to help you align with regulations. They also have a large number of expert resources, making this a much easier path than trusting a single person on your team to handle the assessment.
Hybrid Approach
The last option is to take a hybrid approach, using some of your own internal resources coupled with an outside provider. If any of your team members has compliance experience or an in-depth knowledge of data security, they can start the assessment process using the tools listed above. After your internal resources have completed an assessment and made recommendations on next steps, you could contact an outside vendor to confirm that their work was accurate.
This approach could cut down on the costs you would pay to a vendor, but it would also mean a great investment of your internal resources.
Only you can determine which path would be the best option for your organization. If you believe you have team members who are up to the task and you have resources to spare, a self-assessment could be a viable option. However, if you want to ensure that you are fully compliant with NIST 800-171, the safest option is to partner with an outside provider.
Ultimately, you don’t want to take chances when it comes to compliance. Data security should be a top priority in your organization. Consider your assessment options carefully, and choose the one that your believe will ensure your organization is in alignment with NIST 800-171.