NIST 800-171 Compliance
Monitor insider activity. Detect anomalies. Respond to incidents. ALL-IN-ONE
Organizations that work with or provide services to US federal agencies often have access to Controlled Unclassified Information (CUI), which includes any data in non-federal systems and organizations that isn’t classified by federal laws or regulations yet can be considered sensitive (see the full list of CUI categories).
NIST 800-171 Compliance: who needs it and why?
What is NIST 800-171? NIST Special Publication 800-171 is a companion document to the widely applied NIST SP 800-53 security standard. The National Institute of Standards and Technology (NIST) issued this special publication to help government contractors working with CUI ensure proper protection of data.
NIST 800-171 is mostly used as a basis for meeting the requirements of the Defense Acquisition Federal Regulation Supplement (DFARS), particularly DFARS clause 252.204-7012 that went into effect in 2017. However, the recommendations of this cybersecurity standard apply to contractors and subcontractors of any federal agency.
The current standard is NIST SP 800-171 Revision 2. Its predecessor — NIST SP 800-171 Revision 1 — will be withdrawn on February 21, 2021.
The main entities and organizations that need to comply with NIST 800-171 are:
Who needs to comply with NIST 800-171
Department of Defense (DoD) contractors
General Services Administration (GSA) contractors
National Aeronautics and Space Administration (NASA) contractors
Universities and research institutions receiving federal grants
Any other organization that processes, stores, or transfers CUI of a federal agency
NIST 800-171 compliance allows these entities to better mitigate the risk of insider threats and reduce the risk of data breaches. In turn, non-compliance with NIST SP 800-171 may result in the loss of contracts with a federal agency and ensuing financial losses and reputational damage.
NIST 800-171 vs NIST 800-53
These two information security standards have several meaningful differences:
Overview of functionality
Characteristic | NIST SP 800-171 | NIST SP 800-53 |
---|---|---|
Required for compliance with | DFARS | FISMA |
Applies to | Contractors of federal agencies | Federal agencies |
Provides security guidelines for working with | Controlled unclassified information (CUI) | Information systems of government institutions |
Security control families covered | 14 | 18 |
Still, many security controls in FISMA and DFARS overlap. Organizations that are already compliant with one of these regimes are likely to already meet most requirements of the other.
No matter what cybersecurity requirements are outlined in a contract between a federal agency and their contractor, the contractor still needs to meet the requirements of NIST 800-171.
The Syteca platform includes a wide selection of cybersecurity capabilities that come in handy for complying with NIST 800-171 cybersecurity requirements. In particular, using Syteca as NIST 800-171 compliance software, you can implement basic security requirements for compliance with NIST 800-171 in four control families:
- Access Control
- Audit and Accountability
- Identification and Authentication
- Incident Response
Thanks to its rich functionality, Syteca also works as a NIST 800-171 compliance solution that helps you meet the requirements of most derived security requirements within these control families:
Meeting NIST 800-171 requirements with Syteca
Control family | Required actions | Syteca functionality |
---|---|---|
Access Control Identification and Authorization |
| Identity management |
Access Control |
| Privileged access management |
Access Control Audit and Accountability |
| User activity monitoring |
Access Control |
| Security incident investigation |
Audit and Accountability |
| Auditing and reporting |
Incident Response |
| Alerts and incident response |
Access Control |
| Data encryption with AES-256 keys and an RSA-1024 or RSA-2048 algorithm |
Meet other IT security requirements with Syteca
Let’s get the conversation started
Contact our team to learn how our insider risk management software can safeguard your organization’s data from any risks caused by human factors. Book a call with us at a time that suits you best, and let’s explore how we can help you achieve your security goals.