Understanding the Intent of NIST 800-171
NIST 800-171, it is intended for government contractors prime and subcontractors to comply with security requirements allowing government contractors to comply and consistently implement safeguards for the protection of Controlled Unclassified Information (CUI).
Supply chains consist of organizations that design, produce, source, and deliver products and services. All organizations are part of, and dependent upon, product and service supply chains. Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management programs. Although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing, and trust mechanisms remain a challenge. Organizations can struggle to identify their risks and prioritize their actions—leaving the weakest links susceptible to penetration and disruption. Supply chain risk management, especially product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge, and fragmented standards and best practices.
You may have reached this page because you need to address this within your organizations…
Contact Sedara for an Executive Overview of NIST 800-171
Technical Overview of 800-171 explained
NIST 800-171 is designed to address common deficiencies in managing and protecting unclassified information.
CONTROLLED UNCLASSIFIED INFORMATION (CUI) NIST 800-171 requires private companies to protect the confidentiality of CUI when:
- When CUI is resident in non-federal information systems and organizations
- When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies.
- IT department employee access and use
- Provide effective controls on the tools, techniques, mechanisms, and information system maintenance
- Ensure equipment removed for off-site maintenance is sanitized of any CUI
- Require multifactor authentication
- Limit, protect information system media containing CUI, both paper and digital
- Sanitize or destroy information system media containing CUI before disposal or release for reuse
- Mark media with necessary CUI markings and distribution limitations
- Control access to media containing CUI and maintain accountability
- Prohibit or restrict the use of portable storage devices
- Protect the confidentiality of backup CUI at storage locations
- Ensure that CUI is protected during and personnel terminations and transfers
- operating environments to authorized individuals
- Protect and monitor the physical facility and support infrastructure for those
- information systems
- Control and manage physical access devices
- Enforce safeguarding measures for CUI at alternate work sites.
- Company information systems and the associated processing, storage, or transmission of CUI.
- Scan for vulnerabilities in the information system and applications periodically and
- when new vulnerabilities affecting the system are identified
- Remediate vulnerabilities in accordance with assessments of risk
- Develop and implement plans of action designed to correct deficiencies and reduce or
- Eliminate vulnerabilities in company information systems
- Monitor information system security controls on an ongoing basis to ensure the
- continued effectiveness of the controls
- Develop, document, and periodically update system security plans
- Engineering principles that promote effective information security within company information systems
- Separate user functionality from information system management functionality
- Prevent unauthorized and unintended information transfer via shared system resources
- Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks
- Prohibit remote activation of collaborative computing devices and provide an indication of devices in use to users present at the device
- Identify, report, and correct information and information system flaws in a timely manner
- Provide protection from malicious code at appropriate locations within organization
- Monitor information system security alerts and advisories and take appropriate actions in response
- Update malicious code protection mechanisms when new releases are available
- Perform periodic scans of the information system and real-time scans of files
- Monitor the information system traffic, to detect attacks and indicators of potential attacks.
- Identify unauthorized use of the information system
Sedara’s Cybersecurity Development Program can help you implement NIST 800-171 within your organization in an efficient cost effective solution.
Contact Sedara for your compliance requirement assessment.