Any organization that processes or stores sensitive, unclassified information on behalf of the United States government is required to be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) cyber security standards. This might include contractors for the Department of Defense, universities and research institutions that receive federal grants, or organizations providing services to government agencies.
NIST 800-171 compliance sets standards for safeguarding sensitive information on federal contractors’ IT systems and networks. By requiring best-practice cyber security processes from government contractors, the resilience of the entire federal supply chain is strengthened. NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, focuses on information shared by federal agencies with non-federal entities. Issued by the National Institute of Standards and Technology (NIST), the publication came into force on 1 January 2018 and acts as a guide for federal agencies to ensure that Controlled Unclassified Information (CUI) is protected when processed, stored, and utilized in non-federal information systems. CUI can generally be described as information that’s not within the classified category and appeared as a term when federal agencies needed to deal with the massive amounts of unclassified information processed by vendors and repair providers.
Identify CUI
To suits NIST 800-171, companies must first and foremost know whether or not they are receiving and using CUI and where it’s being stored. This suggests a full audit of company systems and data flows, starting with employee computers and ending with third-party contractors a corporation could be working with. Data identification is often facilitated through tools like Data Loss Prevention solutions which permit organizations to scan their entire company networks supported specific file types, predefined content, file names, Regular Expressions, or compliance profiles for standards like NIST 800-171.
Classify Data
Once CUI is identified, it must be separated into the categories it belongs to. There are twenty approved CUI categories under NIST 800-171, among them, data concerning critical infrastructure, defense, patents, privacy, and more. Each category comes with its own set of standards it must suit so CUI must be assessed correctly.
Perform a security assessment
Every company, counting on its size, sector, or the way it processes information, can have different security needs. the primary step to developing an efficient cyber security and data protection strategy, therefore, is to assess existing security measures. In this way, companies can test the strength of existing policies, discover vulnerabilities, and take informed cost-efficient decisions when developing new strategies.