NIST 800-171 is a practical set of standards developed by the U.S. Department of Commerce and supported by the U.S. Department of Homeland Security (DoHS), U.S. Department of Defense (DoD) and many commercial security experts.
DoHS, DoD and the Department of Commerce have established the NIST 800-171 CyberSecurity Standard as a requirement for all DoD and DHS supply chain participants and as the recommended, defacto standard for all manufacturing, distribution and industrial services organizations. The critical reality of counter party risk is the reason these minimum cybersecurity standards are imposed on every level of the defense supply chain. The fact that supply chain businesses are essentially internal network participants creates a fundamental need to ensure all participants are executing best practices.
NIST 800-171 Requirements and Purpose:
| REQUIREMENT | PURPOSE |
|---|---|
| Access control | Limit/control system access |
| Awareness and training | Educated users and best practices |
| Audit and accountability | Identify and trace incidents |
| Configuration management | Control network hardware and software |
| Identification and authentication | Verify users and devices |
| Incident response | Detection and recovery process |
| Maintenance | Implement sustainable processes |
| Media protection | Physically control and secure |
| Personnel security | Pre-qualified users/access rights |
| Physical protection | Limit access to physical spaces |
| Risk assessment | Scan for vulnerabilities |
| Security assessment | Periodically assess “as is” situation |
| System and communications protection | Protect inbound / outbound |
| System and information integrity | Identify malicious code and users |
All of the above elements are required to achieve a minimum level of sustainable protection.
NIST 800-171 Compliance Roadmap:
The journey towards NIST 800-171 compliance while different in every case, will encompass the following activities, and tasks, as well as the development of specialized documentation, policies and procedures:
Assessment
Network and security assessments must be performed to uncover/identify existing security risks.
Network/Security Remediation
Cybersecurity risks identified during network/security assessments must be remedied to eliminate imminent (known) vulnerabilities.
NIST 800-171 CyberSecurity Audit
Using the Cyber Security Evaluation Tool (CSET) from the Department of Homeland Security and the NIST 800-171 standard as a reference, a formal CyberSecurity Audit must be performed and documented. This is accomplished using the CSET NIST 800-171 questionnaire — typically over the course of several audit sessions.
System Security Plan Report
The System Security Plan Report — one of three main documents that must be developed in order to attain NIST 800-171 compliance — includes answers to all the questions raised in the CyberSecurity Audit. In addition, it documents the IT environment (hardware and software infrastructure), key cybersecurity roles and responsibilities within the organization and a basic system risk analysis.
Incident Response Plan
The Incident Response Plan is the second document that must be developed in order to attain NIST 800-171 compliance. The Incident Response Plan documents the actions, actors and reporting requirements the organization has developed when responding to a detected cybersecurity breach.
Plan of Action with Milestones
The Plan of Acton with Milestones is utilized to document any deficiencies found during the CyberSecurity Audit, and to document the mitigation plan developed to eliminate these deficiencies. It also provides evidence of progress and appropriate support documentation.
Continuous Improvement
As the organization’s IT systems and infrastructure evolve, so does the cyberaecurity threat landscape. The implementation of a continuous improvement cybersecurity program is essential to help the organization maintain a strong cybersecurity posture. It is recommended that the following activities take place:
- Periodic (annual) Network and Security Assessment and execution of the Remediation Plan
- Periodic (annual) reviews of policies and procedures including the System Security Plan and the associated System Risk Analysis, and the Incident Response Plan
- Periodic (annual) end user CyberSecurity Awareness training
