NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

 by Brian McCarthy

When President Obama signed Executive Order #13,636 (EO) (Improving Critical Infrastructure Cybersecurity), he instructed the National Information Technology Laboratory (NIST) to take action. These actions are broad and directed toward higher resiliency in and around Cybersecurity as it relates to critical infrastructure in the United States. 

Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The part of this EO we are discussing today is in regards to Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. Through this EO, NIST publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was activated. What is the NIST 800-171, what does it mean to government contractors and how can you comply?

Glad you asked! For any private companies working on government contracts, the Controlled Unclassified Information (CUI) represents new obligations that must be addressed. In essence, contracting officers will be imposing NIST requirements on vendors for protecting the confidentiality of CUI. 

For non-federal contractors and vendors, there are multiple approaches and solutions to address competence under these new guidelines, although there is not single compliance standard. The two most popular and universally adopted are the NIST Special Publication 800-53 or ISO 27001.

With the National Archives and Records Administration (NARA) issuing a federal regulation to make the requirements of Special Publication 800-171 required government-wide, the time to choose a strategy and direction is right now if you are a government contractor. The forthcoming Federal Acquisition Regulation (FAR) will require that contractors meet the specified measures in 800-171. This will impact many government contractors. 800-171 is far reaching, broad and very detailed across fourteen families of cybersecurity requirements. Those families are as follow.

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Indentifiecation and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personal Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

327 Solutions is ready to support you immediately. Our team of Risk Management, Cyber Security, and DoD Policy experts can help assess your current state and recommend a plan of action (POA) to reach a compliant level through training and mentoring services. 

327 Solutions is a global provider of ISO 27001 training and certification Bootcamps, helping teams address the broad implications of 800-171 quickly and efficiently. We have publicly available  courses and are happy to come to your site anytime for private events. 327 Solutions, Inc. is The Agency for People and Talent Development™ supporting our clients’ success through placement, consulting, and training. Our team applies more than two decades of experience and know-how in contingent staffing (placement), design and build services (consulting), and facilitation services (training) that supports a national client base in the Fortune 1000 and US Government Agencies. With a hyper focus in organizational people, process, and technology, we are able to bring forward the absolute best resources, ideas, and solutions in the market for your workforce.