NIST compliance is mandatory for any entity and service provider processing Controlled Unclassified Information (CUI) on behalf of the US Federal Government. Given the substantial risk to national security if this sensitive data is exploited and the high potential of its compromise through supply chain attacks, the range of organizations expected to comply with this cybersecurity regulation is intentionally broad.
To support compliance with the critical security requirement of NIST SP 800-171, we’ve developed a checklist to accompany an information security program.
This checklist will help you evaluate your organization’s state of compliance and any critical deficiencies requiring immediate remediation.
Who is Expected to Comply with NIST 800-171
According to the National Institute of Standards and Technology, NIST 800-171 compliance is mandatory for the following entity categories:
- Any service providers processing data for government agencies and federal agencies.
- Government contractors.
- Any entity with a federal contract.
- Department of Defense contractors (DoD contractors).
- Any entity and subcontractor processing federal information.
- Healthcare data processors.
- Education entities with access to federal data (such as colleges and universities)
Learn more about NIST 800-171.
If your organization suffers a data breach and you’re expected to comply with NIST 800-171, federal officials will likely investigate the event to determine the scope of damage to any CUI. Such an assessment will determine your level of compliance at the time of the incident.
If it is determined that your organization’s efforts to protect CUI were insufficient, the following consequences could arise:
- Heavy Federal Government penalties - in addition to all the usual associated data breach costs.
- A False Claims Act violation.
- Federal contract termination.
- Contractor status blacklisting
What is CUI?
A closer look at the special category of sensitive information being protected by this NIST regulation will help you understand whether your organization is expected to comply.
At a high level, if your business processes any of the following types of information linked to the federal government in any way, you need to comply with the NIST Special Publication 800-171.
- Electronic and paper documents
- Proprietary information
- Designs and specifications
- Intellectual property
At a deeper level, CUI is divided into 18 categories. You may find that your organization is associated with the specific industries some of these categories map to.
- Critical Infrastructure
- Export Control
- International Agreements
- Law Enforcement
- Natural and Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Procurement and Acquisition
For a detailed description of the types of data within each CUI category, refer to this list by the National Archives and Records Administration (NARA).
NIST 800-171 Compliance Checklist
The following checklist will help you track adherence to the security standards and compliance requirements of NIST 800-171. This free NIST 800-171 compliance checklist will also help your security team prepare all relevant documentation and compliance reports for assessors.
NIST 800-171 derives many of its security control from NIST 800-53, since it’s a subset of that cybersecurity standard.
For a highly-detailed breakdown of the individual security controls mapping to each NIST 800-171 and NIST 800-53 requirement, refer to this document by the University of Cincinnati.
This checklist has been intentionally compressed from the complete (and overwhelming) list of 110 compliance requirements outlined by NIST.
🔲 Identify all resources processing CUI.
🔲 Map the CUI data flow across your information technology ecosystem.
🔲 Perform internal and external risk assessments to discover potential vulnerabilities threatening the integrity and confidentiality of CUI.
🔲 Based on the security assessment results, define a clear plan of action and Milestones (POA&M).
🔲 Define a NIST compliance baseline and maturity pathway towards complete compliance.
🔲 Document and evaluate the CUI access requirements of all staff and third-party vendors.
🔲 Identify departments and personnel with access to CUI.
🔲 Implement access control policies to limit access to CUI.
🔲 Ensure all security policies, access records, and security controls documentation are mentioned in a System Security Plan (SSP) document.
🔲 Obtain at least a level three Cybersecurity Maturity Model Certification (CMMC).
🔲 Implement the NIST Cybersecurity Framework (CSF).
🔲 Create an Incident Response Plan that prioritizes the protection of CUI.
🔲 Run regular simulated security incident drills to test system and information integrity.
🔲 Run regular penetration tests to evaluate the resilience of all control families, including physical access points.
🔲 Enforce Multi-Factor Authentication across all endpoints.
🔲 Implement solutions to control system data access (firewalls, encryption, proxy servers, etc.).
🔲 Implement awareness training explaining the role of personnel security in achieving NIST compliance.
🔲 Implement a Vendor Risk Management (VRM) program to mitigate CUI compromise from supply chain attacks.
🔲 Implement configuration management policies preventing software exposures and data leaks.
🔲 Implement media protection strategies for all external hard drives to mitigate data corruption and data loss.
🔲 Gather audit trail evidence to streamline assessor efforts.
NIST 800-171 Self-Assessment Checklist
🔲 Aggregate all implemented security policies, physical protection policies, and all solutions protecting Controlled Unclassified Information.
🔲 Aggregate data from previous audits and self-assessments.
🔲 Nominate control family representatives to instantly relay the status of system and communications protection efforts whenever required.
🔲 Clearly define the lifecycle of all self-assessments (start and end point).
🔲 List all security controls and cybersecurity methodologies safeguarding CUI.
🔲 Keep stakeholders informed of the results of all self-assessments with executive reports.
🔲 Implement a solution to automate risk assessments to streamline the self-assesment and service provider assessment processes.