How SpinOne Helps NIST 800-171 Compliance Requirements

If you supply or provide services (including consulting) for the Department of Defense, NASA, or other federal or state agencies, you need to meet NIST 800-171 compliance requirements. Even if you don’t need to meet NIST 800-171 requirements, it’s still a good idea to keep them in mind while building your cybersecurity strategy. After all, NIST data security standards highlight many vital data protection concepts. So let’s take a look at NIST 800-171, its requirements, and how you can meet them.

NIST 800-171 Overview

NIST 800-171, created by the National Institute of Standards and Technology, is a common data security standard (like HIPAA or GDPR). 

NIST 800-171 compliance is a set of recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). CUI is one of the core concepts of NIST compliance. Basically, CUI is sensitive information that is not classified but is still important and must be protected.

NIST covers a great variety of security requirements related to data management, encryption, audit, risk assessment, and other vital cybersecurity issues. Following NIST requirements allow you to run your company according to the highest data security standards. 

NIST 800-171 Compliance Requirements

NIST 800-171 compliance requirements are aimed at keeping your CUI protected. The requirements are divided into fourteen groups, called families.

Here they are:

3.1 Access Control

3.2 Awareness and Training

3.3 Audit and Accountability

3.4 Configuration Management

3.5 Identification and Authentication

3.6 Incident Response

3.7 Maintenance

3.8 Media Protection

3.9 Personnel Security

3.10 Physical Protection

3.11 Risk Assessment

3.12. Security Assessment

3.13 System and Communications Protection

3.14 System and Information Integrity

These families consist of Basic and Derived security requirements. The number of requirements varies between families. You can read more about the requirements in the NIST Special Publication 800-171.

Following the NIST data security requirements helps you prevent data loss, control insider threats, and address other cybersecurity challenges. But how do you implement all those requirements? Is there one specific way? Let’s take a look at this quote from the NIST publication:

“Nonfederal organizations can implement a variety of potential security solutions, either directly or using managed services, to satisfy the security requirements and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement.”

In a nutshell, you may choose how exactly to meet the security requirements, what measures to take, and what tools to use. It’s essential to ensure that your security measures are effective in protecting CUI. 

To improve your data security, you can use additional cybersecurity tools. SpinOne is one of them. Below, you’ll find a list of NIST 800-171 requirements and how our solution helps you meet them.

How SpinOne Helps You Meet NIST 800-171 Compliance Requirements

SpinOne is a cybersecurity platform that protects your G Suite and Office 365 cloud data from data loss, ransomware, and other cyber threats. SpinOne helps you meet the following requirements.

Access Control

Requirement 3.1.22: Control CUI posted or processed on publicly accessible systems.

SpinOne solution allows you to identify data that was intentionally or unintentionally shared with external entities and to terminate those entities’ access immediately.

Audit and Accountability

Requirement 3.3.5: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

SpinOne Domain Audit functionality enables customers to review and analyze various critical security events within the domain, such as abnormal logins or sensitive data sent over email.

SpinOne security policies notify administrators when abnormal logins or brute-force attacks are detected.

Requirement 3.3.6: Provide audit record reduction and report generation to support on-demand analysis and reporting.

SpinOne Domain Audit functionality enables customers to review and analyze various critical security events within the domain, such as abnormal logins or sensitive data sent over email. 

Configuration Management

Requirement 3.4.8: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. 

SpinOne’s Risky App Audit allows customers to identify and blacklist risky applications that may cause data breaches or result in non-compliant processing or storage of sensitive data.   

Requirement 3.4.9: Control and monitor user-installed software.

As soon as a user installs an app within the company’s Google domain, The Risky App functionality reviews the application to identify risks associated with its use. 

Identification and Authentication

Requirement 3.5.7: Enforce a minimum password complexity and change of characters when new passwords are created.

SpinOne allows customers to disable Google login and use SpinOne login credentials in combination with 2FA. This feature protects the organization’s sensitive data when their Google account has been compromised. 

Incident Response

Requirement 3.6.1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

SpinOne solution helps customers comply with this requirement in several ways.

1. Identify: SpinOne identifies security events such as abnormal logins, brute-force attacks, ransomware attacks, unauthorized data sharing, risky application installations, and sensitive data sent over email and notifies administrators. 
2. Respond: SpinOne terminates ransomware attacks and restores lost data. Additionally, SpinOne provides several access management and audit features that help investigate incidents and minimize the incident impact.

Media Protection

Requirement 3.8.9: Protect the confidentiality of backup CUI at storage locations.

SpinOne customers’ data is encrypted and stored using FIPS 140-2 validated AES-256 encryption algorithm.  

Risk Assessment 

Requirement 3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

SpinOne’s Risky App Audit allows customers to identify and blacklist risky applications that may cause data breaches or result in non-compliant processing or storage of sensitive data.   

System and Communications Protection

Requirement 3.13.4: Prevent unauthorized and unintended information transfer via shared system resources.

SpinOne solution allows customers to identify data that they intentionally or unintentionally shared with external entities and to terminate that entity’s access immediately. 

Requirement 3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

All data managed by SpinOne is transmitted using SSL protocol, ensuring the integrity and confidentiality of transmitted data.

Requirement 3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI, and Requirement 3.13.16: Protect the confidentiality of CUI at rest.

SpinOne customers’ data is encrypted and stored using FIPS 140-2 validated AES-256 encryption algorithm.  

System and Information Integrity

Requirement 3.14.2: Protect malicious code at appropriate locations within organizational information systems. 

SpinOne Ransomware Protection for Google Workspace (G Suite) and Microsoft 365 automatically identifies and blocks the source of a malicious attack, terminates the encryption process, and runs granular recovery of lost files from the last successfully backed-up version.

Requirement 3.14.6: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks

SpinOne Domain Audit functionality enables customers to review and analyze various critical security events within the domain, such as abnormal logins or sensitive data sent over the email.

SpinOne security policies notify administrators when abnormal logins on brute-force attacks are detected.