NIST compliance — often referred to as NIST certification — is required of any organization that does business with the US government, as well as many state agencies. That’s because, as required by the Federal Information Security Management Act (FISMA), all federal agencies must develop and apply an information security program with specific requirements.
The NIST framework is governed by the National Institute of Standards and Technology (NIST). This is a government-funded, non-regulatory federal agency under the Department of Commerce. NIST is important because it’s responsible for developing information security standards and guidelines, including minimum requirements for federal information systems.
Now that you have a better understanding of what NIST is, let’s dive into some of its intricacies.
According to the NIST’s website, NIST “develops and maintains an extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems. This includes various NIST technical publication series.”
The Special Publication 800 series in particular presents information of interest to the computer security community. This includes guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities:
“SP 800 publications are developed to address and support the security and privacy needs of [the] U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014.”
Created in 1990, the series reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information systems security and privacy and its collaborative activities with industry, government, and academic organizations.
Essentially, the 800 series helps ensure companies meet government information technology security standards.
NIST SP 800-171 is a NIST Special Publication for government contractors and subcontractors that provides recommended requirements for protecting the confidentiality of controlled unclassified information, or CUI.
As defined by NIST, CUI is “Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.”
If an organization or manufacturer is a part of the General Services Administration (GSA), National Aeronautics and Space Administration (NASA), Department of Defense (DoD), or other federal or state agencies’ supply chain, it must implement the security requirements included in NIST SP 800-171.
By doing so, contractors will be able to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.
NIST 800-171 compliance is important because defining the cybersecurity requirements for contractors who handle sensitive government information strengthens the security of the entire federal supply chain. In other words, NIST 800-171 ensures a unified baseline standard of cybersecurity for all contractors — and their respective subcontractors — who have access to CUI.
What’s more, for many DoD contractors, the ultimate goal is to obtain the Cybersecurity Maturity Model Certification (CMMC). CMMC was established by the DoD to protect CUI that resides on contractor or subcontractor systems or networks of suppliers. Thankfully, ongoing and accurate NIST 800-171 compliance can ultimately help achieve CMMC certification.
There is no official audit or certification body to determine a contractor’s adherence to the NIST 800-171 requirements. Therefore, organizations must self-assess and self-attest to compliance.
How does this work? Businesses must perform an audit against the list of requirements found in NIST 800-171 for all aspects of their systems and networks that store or process CUI. There are 110 requirements that organizations need to meet, and eight steps for conducting a NIST 800-171 self-assessment.
The cost of NIST 800-171 compliance depends on the size and complexity of your business, as well as if your security systems are up to date. For example, if you’ve been proactive over the years and have kept your business security up to date, you may not need to do much more — or spend much more money — to become compliant.
Furthermore, the more aspects of your business that are affected by CUI, the higher the cost is likely to be. Other factors to consider include the available person power to carry out the procedures and the maturity of the computing environment.This is why it’s difficult to put a specific dollar amount on how much NIST 800-171 compliance will cost, and why you’ll see quotes from anywhere from a few thousand dollars to several hundred.
Are NIST 800-171 and ISO related? If so, how?
Both NIST 800-171 and ISO 27001 cover the same areas of information security. Additionally, ISO 27110 can be leveraged to integrate NIST-CSF recommendations into a comprehensive ISO 27001 ISMS.
While NIST 800-171 is designed specifically for non-Federal (commercial) enterprises, ISO 27001 is a more general standard and can be applied to organizations of all types. However, NIST 800-171 can still be mapped to the international ISO 27001 standard in key control areas.
However, these frameworks don’t precisely map to each other because there are differences in the way they are implemented. In other words, some NIST 800-171 requirements have no direct mapping to ISO 27001, or the equivalent ISO 27001 control does not fully satisfy the intent of the NIST control.