The National Institute of Standards and Technology (NIST) released Special Publication 800-171 pertaining to all DoD and Federal contractors with access to Controlled Unclassified Information (CUI). The publication encompasses the protection of sensitive federal information and (CUI) in non-federal information systems and organizations. The Defense Federal Acquisition Regulation Supplement (DFARS) deadline for NIST 800-171 compliance was on December 31st 2017. Over the last four years, those federal contractors have implemented the standards at a record pace and have used consulting agencies such as Manufacturing Extension Partners (MEP) from NIST to do so. MEP aids in cybersecurity assessments for individual manufacturers striving for government contracts to increase their customer base. These free self-assessments are provided online in multiple formats: infographics and PDF guidebooks. The MEP provides a plethora of resources to take the initial steps towards becoming NIST 800-171 compliant and winning profitable government contracts. The BEST of these resources is the NIST Self-Assessment Handbook which is 150-pages of insightful advice tailored to various manufacturing situations. However, if you do not feel like reading this entire book then take a look at this NIST SP 800-171 Webinar by NSF International that summarizes crucial points of the NIST Self-Assessment Handbook.
What are some examples of implementations of NIST 800-171 standards?
As the NIST 800-171 standards states, it applies to ANY organizations utilizing non-confidential information in their databases and storing that data in mass storage devices such as flash drives, hard drives (mechanical or SSD) and network-attached storage devices (NAS) among others. Some notable examples include research institutions such as universities that carry out federally funded research projects such as controlled substances testing that are scheduled on the DEA Controlled Substances Act. As a result, universities such as the University of Cincinnati have developed their own NIST 800-171 Compliance Guideline manual which speak on how the university is identifying gaps, who is responsible for doing so and what actions can be taken to fill that gap. In addition, the University of Connecticut has also developed their own NIST 800-171 Security Control Requirements checklist for their Principal Investigator (PI) to use to implement and maintain the federal standards in research settings. In addition, they have tabulated the NIST 800-171 Control Requirements separated from the PI standards implementation to show how they are meeting those standards. Both of these compliance documents are great examples to base off of if you are interested in winning government contracts post-deadline and showcase how to demonstrate your own organization’s commitment towards compliance.
Besides universities and government funded research, businesses and financial institutions (state grant agencies, lenders and third-parties) that handle federal student loan information have to comply with the NIST 800-171 and the 109 controls set in place. Given that they have sensitive information such as first and last names, addresses, telephone and emails and most importantly banking and social security identifiers then it is essential that these organizations stay on top of their security. A single breach can reveal extremely lucrative PII (Personally Identifiable Information) for hackers to sell on the dark web or to use for their own financial gains. That is why the NIST 800-171 was revised to include this type of information. For more background on this protection of federal student aid information, take a look at the FSA’s electronic announcement from December 18, 2020. 
To face these challenges, organizations such as EDUCASE have reported on the upcoming plans of requiring self-assessments on organizations with federal student loan data. Although, there is uncertainty on how these will be implemented and the requirements for this assessment. EDUCASE goes into more questions brought on for the FSA to answer and stresses the participation of key stakeholders. To read more on their concerns, take a look at 800-171 Compliance on the Horizon. Overall, the goal of the FSA is to ensure that throughout the entire process of using and storing loan data that it is not misused by bad actors with a proper system to maintain its security. This new standard will be ALL encompassing as most of the information from the FSA will be covered.
What to keep in mind after your NIST 800-171 compliance research?
After your research, you may have found some very large gaps within your data handling. If so, then we have the answers to your dilemma. Tx Systems provides Identity, Authentication and Access Control solutions that meet the NIST SP 800-171 to the HIGHEST levels of Federal Government standards.
These are some of the key NIST SP 800-171 standards:
- (3.5.1) Identify information system users, processes acting on behalf of users, or devices.
- (3.5.2) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- (3.5.3) Use multi-factor authentication (MFA)/two-factor authentication (2FA) for local and network access to privileged accounts and for network access to non-privileged accounts.
- To meet the System and Communication Protection requirements, organizations can implement HID’s ActivClient for Windows Logon, Email Encryption and Digital Signing of Documents among application authentication. We also offer ActivClient solutions for MacOS and Linux to support a diverse set of environments. With a WIDE adoption of millions of DoD and Federal employees using ActivClient, it is a STRONG choice for governments and enterprises to utilize for data protection.
- To meet the Logical and Physical Access Control requirements, Tx Systems can specify and provide physical access control systems (PACS) from HID Global and SecuGen. In addition, Tx Systems carries ADDITIONAL physical access systems from IDEMIA such as their Enterprise Security Physical Access Control Reader.
- To meet the Identification and Authentication requirements, Tx Systems offers multi-factor authentication (MFA) devices such as tokens and security keys from well-known manufacturers such as Identiv and Kensington. A notable option would be the Identiv uTrust FIDO2 NFC Security Key which supports a variety of web application logins with SalesForce, Facebook and Dropbox.
By implementing these solutions, you can rest assured that your organization complies with the following three main portions of NIST SP 800-171:
- Physical and Logical Access Control (Idemia Enterprise Security Physical Access Control Reader)
- Identification and Authentication (Identiv uTrust FIDO2 NFC Security Key)
- System and Communication Protection (ActivClient)
For more information regarding the specific requirements for the different information types, you can locate them in the NIST publication.
Tx Systems offers a variety of security solutions that can help your company meet NIST 800-171 requirements. Learn more at txsystems.com or feel free to send us an email at sales@txsystems.com.
This blog post was a collaboration between Carl Hughes and Brenda Sayab.
Tx Systems 