NIST introduced SP 800-171 in 2015. It is the standard for protecting controlled unclassified information (CUI) in nonfederal systems. There have been two major revisions (revision 1 in 2017 and revision 2 in 2020). NIST scheduled the final publication for revision 3 in early 2024.
LINKS:
____________________________________________
etactics.com/blog/nist-sp-800-171-vs-800-53
___________________________________________
NIST SP 800-171 Rev 2 contains 110 security requirements. NIST derived these requirements from two source publications: the Federal Information Processing Standards Publication 200 (FIPS 200), and The Moderate Security Baseline from Special Publication 800-53 Rev 4. Let’s break down NIST SP 800-171’S Basic Requirements, Derived Security Requirements, Assumptions, Security Requirement Families, Applicability, Assessment, Assessment Procedures, Assurance cases, and determination procedures.
First, Basic requirements.
NIST incorporated the basic requirements from the FIPS 200. Out of the 17 security requirements in FIPS 200, NIST included 14 in SP 800-171. These requirements cover seventeen security-related areas. Access control, Awareness and training, Audit and accountability, Certification, accreditation and security assessments, Configuration management, Contingency planning, Identification and authentication, Incident response, Maintenance, Media protection, Physical and environmental protection, Planning, Personnel security, Risk assessment, Systems and services acquisition, System and communications protection, and System and information integrity. NIST actually tailored out the following areas out of SP 800-171: Contingency planning, Planning, and Systems and services acquisition. NIST included these specifications as basic security requirements within NIST SP 800-171. For example, here are the first four requirements from FIPS 200. [image]
Second, Derived Security Requirements.
NIST derived the other requirements by tailoring the SP 800-53B moderate security baseline. This tailoring focused on protecting CUI from unauthorized disclosure in nonfederal systems. Appendix E of SP 800-171 specifies these tailoring actions. Removing controls not related to protecting the confidentiality of CUI. Removing controls that were the responsibility of the Federal Government. And removing controls NIST assumed nonfederal organizations would implement without specification.
Third, Assumptions.
NIST addressed a few of their assumptions in this publication: Protection requirements for CUI are consistent regardless of where it resides. Safeguards implemented to protect CUI are consistent regardless of where the information resides. The confidentiality impact value for CUI is no less than FIPS 199 moderate. Nonfederal organizations already have systems and do not buy systems to handle CUI. Nonfederal organizations have safeguarding measures in place to protect their own information. Nonfederal organizations may use effective compensating controls. Many solutions exist to help nonfederal organizations meet these security requirements.
Fourth, Security Requirement Families.
NIST organized security requirements into fourteen families. Except for three, these aligned with the requirements described in FIPS 200. The table below lists the families of requirements: [image]
Fifth, Applicability.
The requirements apply to components of nonfederal systems that process, store, or transmit CUI. They also extend to components that provide security protection for such components. Organizations may limit the scope of applicability by isolating these components. Physical and logical architecture and design concepts may achieve isolation.
Sixth, Assessment.
NIST SP 800-171A contains the assessment procedures for SP 800-171. Nonfederal organizations describe how they meet the requirements in a system security plan. The defined system boundary guides the scope of the assessment. The prescribed procedures assess the implementation and effectiveness of the security requirements.
Seventh, Assessment Procedures.
An assessment procedure consists of an objective and a set of methods and objects. Each assessment objective includes one or more determination statements linked to the requirement. The application of an assessment procedure produces assessment findings
Much like I mentioned earlier, assessment methods include examine, interview, and test. The examine method involves analyzing assessment objects (specifications, mechanisms, activities).
► Reach out to Etactics @ etactics.com
►Subscribe: rb.gy/pso1fq to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn: linkedin.com/company/etactics-inc
►Find us on Facebook: facebook.com/etacticsinc/
#NIST
- The NIST SP 800-171 Explained ( Download)
- Unravel the Mystery of NIST SP 800-171 and the System Security Plan! ( Download)
- NIST CSF vs 800-53 vs 800-171: Side-by-Side Comparison ( Download)
- Defining Terms in the NIST SP 800-171 System Security Plan ( Download)
- How to: Determine Your NIST 800-171 SPRS Score ( Download)
- Step-by-Step Walk-through: Build Your NIST SP 800-171 Control Policy | Exostar ( Download)
- Self Security Control Assessments (NIST SP 800-171 Rev2) Vs CMMC - The C3PAOs Requirements ( Download)
- NIST 800 171 Rev3 - IPD Overview ( Download)
- Navigating Compliance: FCI and CUI Requirements for Federal Contractors ( Download)
- The Basics of NIST SP 800-171 ( Download)
- What are the Key Aspects of CMMC and NIST SP 800 171 ( Download)
- NIST SP 800-171 Rev 2 - Overview ( Download)
- NIST 800-171 Overview ( Download)
- NIST 800 171 Explained ~ cybersecurity ( Download)
- Cyber Insurance, NIST SP 800-171, and CMMC 2.0 ( Download)