NIST 800-171 FAQ
All organizations using CUI. This could mean government agencies, government contractors, and government subcontractors.
CUI data is broken into 20 different categories, with these organization and index groupings broken into numerous subcategories. A look at these categories, listed below, may give you greater insight into whether or not your organization deals with CUI.
The list was curated from the government registry site >> link
- Critical Infrastructure
- Export Control
- International Agreements
- Law Enforcement
- Natural and Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Procurement and Acquisition
- Proprietary Business Information
The NIST 800-171 documentation supplies a list of the following controls, along with the corresponding compliance requirements:
- Access controls: Who has access to data and whether or not they’re authorized.
- Awareness and training: Your staff should be adequately trained on CUI handling.
- Audit and accountability: Know who’s accessing CUI and who’s responsible for what.
- Configuration management: Follow guidelines to maintain secure configurations.
- Identification and authentication: Manage and audit all instances of CUI access.
- Incident response: Data breach preparedness and response plan protecting CUI.
- Maintenance: Ensure ongoing security and change management to safeguard CUI.
- Media protection: Secure handling of backups, external drives, and backup equipment.
- Physical protection: Authorized personnel only in physical spaces where CUI lives.
- Personnel security: Train your staff to identify and prevent insider threats.
- Risk assessment: Conduct pen testing and formulate a CUI risk profile.
- Security assessment: Verify that your security procedures are in place and working.
- System and communications protection: Secure your comms channels and systems.
- System and information integrity: Address new vulnerabilities and system downtime.
There are some steps to take when implementing NIST 800-171:
- CUI inventory
The first step toward implementing NIST 800-171 requirements is identifying which systems and solutions in your network store or transfer CUI. When you identify these systems, you can focus specific attention on their security. Which systems could hold CUI?
- CUI classification
Once you’ve located the systems and solutions in which CUI is stored, you should split the data into two categories – data that falls under the umbrella of controlled unclassified information and data that does not. While it’s important to keep all your data secure, you may want to start by protecting the most sensitive data first. In the event of an audit, it’s most important that CUI is protected and you’re able to demonstrate that you have done so. You can always return to your data security efforts later to implement measures that protect all data, not just CUI alone. By categorizing your data, you can limit the amount of time and effort required to secure CUI.
- Implement the gaps and controls
After locating and separating CUI from your other, non-sensitive data, you’re ready to implement the controls needed to encrypt all files, both in transit or at rest.
- Monitor your data
Implementing NIST 800-171 requirements and training your employees is only the first step. You also need to monitor who is accessing your CUI and for what purpose. You need to adopt a solution that has the ability to record all user activities. To be NIST 800-171 compliant, you should ensure that every action can be traced back to an individual user. Task administrators with overseeing the monitoring process, and create procedures around monitoring that work best for your business.
- Ongoing Security Assessment
you should conduct a security assessment, looking closely at all your systems and processes to identify the potential for noncompliance risk. This assessment should be done on a regular basis, either quarterly or annually, to ensure that current processes will continue to protect CUI.
Join the conversation