NIST 800-171 Compliance: What You Need to Know
If you supply or provide services (including consulting) for the Department of Defense, NASA, or other federal or state agencies, you need to meet NIST 800-171 compliance requirements.
Even if you don’t need to meet NIST 800-171 Compliance requirements, it’s still a good idea to keep them in mind while building your cyber security strategy. After all, NIST data security standards highlight many vital data protection concepts.
So let’s take a look at NIST 800-171, its requirements, and how you can meet them.
What is NIST 800-171 Compliance?
NIST 800-171, created by the National Institute of Standards and Technology, is a common data security standard (like HIPAA or GDPR).
NIST 800-171 compliance is a set of recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). CUI is one of the core concepts of NIST compliance. CUI is sensitive information that is not classified but is still essential and must be protected.
NIST covers a great variety of security requirements related to data management, encryption, audit, risk assessment, and other vital cybersecurity issues. Following NIST requirements allow you to run your company according to the highest data security standards.
NIST 800-171 Compliance Requirements
NIST 800-171 compliance requirements are aimed at keeping your CUI protected. To ensure compliance, it’s essential to follow the NIST 800-171 compliance checklist, which outlines the specific security requirements across fourteen families.
Here they are:
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.7 Maintenance
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12. Security Assessment
3.13 System and Communications Protection
3.14 System and Information Integrity
These families consist of Basic and Derived security requirements. The number of requirements varies between families. You can read more about the requirements in the NIST Special Publication 800-171.
Following the NIST data security requirements helps prevent data loss, control insider threats, and address other cybersecurity challenges. But how do you implement all those requirements? Is there one specific way? Let’s take a look at this quote from the NIST publication:
Nonfederal organizations can implement a variety of potential security solutions, either directly or using managed services, to satisfy the security requirements. They may implement alternative, but equally effective, security measures to compensate for the inability to fulfill a requirement.
In a nutshell, you may choose how exactly to meet the security requirements, what measures to take, and what tools to use. It’s essential to ensure that your security measures are effective in protecting CUI.
To improve your data security, you can use additional cybersecurity tools. SpinOne is one of them. Below, you’ll find a list of NIST 800-171 Compliance requirements and how our solution helps you meet them.
How SpinOne Helps You Meet NIST 800-171 Compliance Requirements
SpinOne is a cybersecurity platform that protects your G Suite and Office 365 cloud data from data loss, ransomware, and other cyber threats. SpinOne helps you meet the following NIST 800-171 Compliance requirements.
Access Control
Requirement 3.1.22: Control CUI posted or processed on publicly accessible systems.
SpinOne solution allows you to identify intentionally or unintentionally shared data with external entities and terminate those entities’ access immediately.
Audit and Accountability
Requirement 3.3.5: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
SpinOne Domain Audit functionality enables customers to review and analyze various critical security events within the domain, such as abnormal logins or sensitive data sent over email.
SpinOne security policies notify administrators when abnormal logins or brute-force attacks are detected.
Requirement 3.3.6: Provide audit record reduction and report generation to support on-demand analysis and reporting.
SpinOne Domain Audit functionality enables customers to review and analyze various critical security events within the domain, such as abnormal logins or sensitive data sent over email.
Configuration Management
Requirement 3.4.8: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
SpinOne’s Risky App Audit allows customers to identify and blacklist risky applications that may cause data breaches or result in non-compliant processing or storage of sensitive data.
Requirement 3.4.9: Control and monitor user-installed software.
As soon as a user installs an app within the company’s Google domain, The Risky App functionality reviews the application to identify risks associated with its use.
Identification and Authentication
Requirement 3.5.7: Enforce a minimum password complexity and change of characters when new passwords are created.
SpinOne allows customers to disable Google login and use SpinOne login credentials in combination with 2FA. This feature protects the organization’s sensitive data when their Google account has been compromised.
Incident Response
Requirement 3.6.1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
SpinOne solution helps customers comply with this requirement in several ways.
- Identify: SpinOne identifies security events such as abnormal logins, brute-force attacks, ransomware attacks, unauthorized access and data sharing, risky application installations, and sensitive data sent over email and notifies administrators.
- Respond: SpinOne terminates ransomware attacks and restores lost data. SpinOne provides several access management and audit features that help investigate incidents and minimize the impact.
Media Protection
Requirement 3.8.9: Protect the confidentiality of backup CUI at storage locations.
SpinOne customers’ data is encrypted and stored using FIPS 140-2 validated AES-256 encryption algorithm.
Risk Assessment
Requirement 3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
SpinOne’s Risky App Audit allows customers to identify and blacklist risky applications that may cause data breaches or result in non-compliant processing or storage of sensitive data.
System and Communications Protection
Requirement 3.13.4: Prevent unauthorized and unintended information transfer via shared system resources.
SpinOne solution allows customers to identify data they intentionally or unintentionally shared with external entities and terminate that entity’s access immediately.
Requirement 3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
All data managed by SpinOne is transmitted using SSL protocol, ensuring the integrity and confidentiality of transmitted data.
Requirement 3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI, and Requirement 3.13.16: Protect the confidentiality of CUI at rest.
SpinOne customers’ data is encrypted and stored using FIPS 140-2 validated AES-256 encryption algorithm.
System and Information Integrity
Requirement 3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems.
SpinOne Ransomware Protection for Google Workspace and Office 365 automatically identifies and blocks the source of a malicious attack, terminates the encryption process, and runs granular recovery of lost files from the last successfully backed-up version.
Requirement 3.14.6: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks
SpinOne Domain Audit functionality enables customers to review and analyze various critical security events within the domain, such as abnormal logins or sensitive data sent over email.
SpinOne security policies notify administrators when abnormal logins on brute-force attacks are detected.
Would you like to see SpinOne in action?
Additional Information
You can read NIST 800-171 rev 2 here.
NIST 800-171 template can be found here.
Was this helpful?
How Can You Maximize SaaS Security Benefits?
Let's get started with a live demo
Latest blog posts
Best CRXCavator Alternative for Browser Extension Risk Assessment
Of the 300,000 browser extensions used in enterprise environments, more than half (51%) could execute...
The Ultimate Guide to SharePoint Cloud Backup: Securing Your Data
For businesses using Microsoft 365, SharePoint has become central to document management, team collaboration, and...
How to Ensure that Your Google Chrome Extensions are Safe
Google Chrome is the world’s most popular internet browser, enjoying a global market share of...