NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was first published in June 2015 and focuses on information shared by federal agencies with non-federal entities. NIST 800-171 suffered minor revisions in February 2020 after the release of the Cybersecurity Maturity Model Certification (CMMC).
What is NIST 800-171?
Controlled unclassified information (CUI) covers information such as tax-related data, sensitive intelligence information, and intellectual property. Issued by the National Institute of Standards and Technology (NIST), the publication works as a guide for federal agencies to guarantee that Controlled Unclassified Information (CUI) is protected when processed, stored, and used in non-federal information systems. The federal government often shares this sort of data with institutions and organizations that carry out the work of federal agencies.
Executive Order 13556, issued by the White House in 2010, gave CUI, which previously had various interpretations, a single definition for all federal agencies. It was created by the National Archives and gathered in the Controlled Unclassified Information Registry. CUI can generally be described as information that is not in the classified category. The term appeared out of the need for federal agencies to address the large amount of unclassified information processed by vendors and service providers as required under the Federal Information Security Modernization Act (FISMA).
The 109 controls set out in NIST 800-171 are tailored on NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and aim to protect CUI in nonfederal information systems from unauthorized disclosure. They are separated into 14 families of security requirements, ranging from access control and risk assessment to personnel security and system and communications protection.
Who does NIST 800-171 apply to?
As of 31 December 2017, nonfederal entities will have to provide documentation and evidence to the federal government as to how they are protecting CUI. In many cases, other federal laws or regulations such as FISMA might address how data must be protected. In instances where no specific law addresses how CUI received from the federal government must be protected, NIST 800-171 will be applied.
With the introduction of CMMC In January 2020, all companies that do business within the Defense Industrial Base (DIB) supply chain will no longer be able to self-certify under NIST 800-171 but will need to submit to a third-party CMMC compliance assessment. However, while CMMC compliance covers all the NIST 800-171 CUI controls, it does not include the 63 Non-Federal Organization (NFO) controls also included in NIST 800-171, which means companies will need to address them separately.
How can DLP help?
Data Loss Prevention (DLP) solutions can help companies with a number of NIST 800-171 compliance requirements. They allow companies to define what sensitive data means to them in the context of their business. They also offer predefined profiles for types of data such as personally identifiable information (PII) and intellectual property, but also for compliance with legislation such as GDPR and HIPAA and standards such as PCI-DSS and NIST 800-171.
Using powerful contextual scanning and content inspection tools, DLP solutions identify sensitive data in hundreds of file types and apply security policies that monitor and control its use and transfer. In this way, companies can avoid data breaches stemming from insider threats such as malicious or negligent employees.
DLP device security control features also allow admins to lock down, control, and monitor removable devices connected to computers via USB and peripheral ports as well as Bluetooth connections. They can implement strong device use policies that will scan data transfers to portable storage devices or block their usage to protect sensitive information from data leakage, in accordance with the NIST removable media policy.
Some DLP solutions, like Endpoint Protector, also offer enforced USB encryption features that ensure that all data transferred onto USBs is automatically encrypted and cannot be accessed in case a device is lost or stolen. In this way, users can safely transfer confidential data and access it only on authorized computers via a secured password. Admins can also remotely send messages to users and change passwords in case they are forgotten or misplaced.
It is also possible to scan sensitive data at rest, stored on employees’ computers, based on specific file types, predefined content, file name, Regular Expressions, or compliance profiles such as NIST 800-171. Based on the scan results, remediation actions like encrypting or deleting data remotely to avoid compliance breaches.
Data security is not a new concern in the digital world, but with new regulations around the globe, it’s clear that what was once a cautionary choice is now mandatory. Solutions such as DLP, antivirus, and data classification have become essential tools for companies looking to upgrade their data protection strategies and align them with new laws and standards.
Download our free ebook on
GDPR compliance
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.
