What is NIST 800-171?
As computing platforms and technologies are ubiquitously deployed worldwide and systems and components are increasingly interconnected through wired and wireless networks, the susceptibility of Controlled Unclassified Information (CUI) to loss or compromise grows.
The purpose of NIST 800-171 is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a non-federal information system and with organizations such as contractors.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.
Who needs to follow NIST 800-171?
The standard is applicable to any prime contractor or sub-contractor who works on government projects, where it is highly likely they have access to CUI and therefore need to implement the necessary controls as per this standard.
NIST 800-171 security requirements fulfilled using e-Safe Compliance
NIST 800-171 organises the security requirements into fourteen families. e-Safe Compliance is an information security solution that helps companies monitor and secure sensitive information such as CUI.
The chart below lists the families and mentions which requirements are fully or partially managed by e-Safe Compliance.
|
SECURITY REQUIREMENT FAMILIES |
ENSURING COMPLIANCE USING E-SAFE COMPLIANCE |
|
Access Control |
Full Compliance. e-Safe Compliance provides the required access control on CUI. |
|
Awareness and Training |
Partial Compliance. e-Safe Compliance helps to fulfil the required security risk awareness among staff. |
|
Audit and Accountability |
Full Compliance. e-Safe Compliance has powerful reporting and auditing capabilities, which provide clear forensic evidence to support an investigation. |
|
Configuration Management |
Partial Compliance. e-Safe Compliance fulfils the configuration baselining requirements; however, the requirement also relates to taking action when gaps are identified, which is a manual task. |
|
Identification and Authentication |
Not Applicable. The security control is about having an appropriate identity and access management system in place. |
|
Incident Response |
Full Compliance. e-Safe Compliance offers complete tracking of CUI and incident response capabilities, which includes case management workflow. |
|
Maintenance |
Not Applicable. |
|
Media Protection |
Full Compliance. e-Safe Compliance offers extensive media protection capabilities. |
|
Personnel Security |
Partial Compliance. e-Safe Compliance fulfils the requirement of monitoring the users. |
|
Physical Protection |
Not Applicable. |
|
Risk Assessment |
Full Compliance. e-Safe Compliance helps to automate many facets of risk and security assessment. It includes an automated risk register. The risk report from e-Safe Compliance becomes an integral part of closing any security gaps in the company. |
|
Security Assessment |
|
|
System and Communications Protection |
Partial Compliance. This security requirement is mostly related to network configuration and information flows within the network. e-Safe Compliance offers partial compliance to this requirement by fulfilling the cryptographic requirements for CUI. |
|
System and Information Integrity |
Not applicable – This requirement is mainly to do with correcting application flaws such as a vulnerability in a company’s ERP system or having the appropriate anti-virus/anti-spam software installed. |