In 2015, the National Institute of Standards and Technology (NIST) published updated security guidelines for nonfederal organizations in a document called NIST SP 800-171. The Department of Defense made compliance with these guidelines mandatory for all government contractors. The purpose of the new guidelines, NIST writes, is to “ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations.” NPI Services, Inc. has undertaken a thorough review of all its systems to become NIST SP 800-171 compliant, but what exactly does compliance mean?
Areas of Compliance
NIST SP 800-171 specifically applies to two types of data: Controlled Technical Information (CTI) relating to military and space applications and Controlled Unclassified Information (CUI) relating to personal and financial data, court records, and other sensitive information that does not require a high security clearance to view. Each company and agency that contracts with the federal government must evaluate and document their compliance with security protocols in the following 14 areas:
- Access Control (Who is authorized to view this data?)
- Awareness and Training (Are people properly instructed in how to treat this info?)
- Audit and Accountability (Are records kept of authorized and unauthorized access? Can violators be identified?)
- Configuration Management (How are your networks and safety protocols built and documented?)
- Identification and Authentication (What users are approved to access CUI and how are they verified prior to granting them access?)
- Incident Response (What’s the process if a breach or security threat occurs, including proper notification)
- Maintenance (What timeline exists for routine maintenance, and who is responsible?)
- Media Protection (How are electronic and hard copy records and backups safely stored? Who has access?)
- Physical Protection (Who has access to systems, equipment and storage environments?)
- Personnel Security (How are employees screened prior to granting them access to CUI?)
- Risk Assessment (Are defenses tested in simulations? Are operations or individuals verified regularly?)
- Security Assessment (Are processes and procedures still effective? Are improvements needed?)
- System and Communications Protection (Is information regularly monitored and controlled at key internal and external transmission points?)
- System and Information Integrity (How quickly are possible threats detected, identified and corrected?)
What Systems are Covered by NIST SP 800-171?
Federal contractors are required by Department of Defense to use covered information systems, defined by NIST as “an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores or transmits covered defense information.” Covered systems range from FTP to email, content management platforms, on-premises and cloud storage, collaboration platforms, and laptops, tablets, and smartphones. All such systems must keep records of authorized users, detail the roles and functions of all users, and enable auditing procedures.
Why Is NIST SP 800-171 Significant?
Before the new guidelines, organizations all had their own sets of rules for handing and securing sensitive data, which presented a number of security concerns when the information was shared with federal agencies. With the growing number of threats targeting personal and financial data, the situation posed a particular problem for the government and its contractors. NIST SP 800-171 brings federal agencies and contractors in line with protocols that are consistently revised and updated to meet the latest threats to security.
Compliance with NIST SP 800-171 is just one facet of our commitment to quality for all our customers, both within and beyond the realm of national defense. Call NPI Services, Inc. or contact us directly using the sidebar for more information or to request a quote. We offer prompt, secure services to meet all your electronic manufacturing service needs with the ease of one PO.
When Quick Turn Matters!