- Why Sharetru?
- Learning Center
NIST 800-171 and NIST 800-53 are two key publications outlining cybersecurity requirements for government agencies, contractors, and subcontractors. However, figuring out how to comply with the guidelines recommended in these long publications from the National Institute of Standards and Technology can be overwhelming. It’s no surprise that many people have questions about what these publications are and what cybersecurity measures they recommend.
We’ll get to some commonly asked questions about NIST 800-171 and NIST 800-53. But first, let’s look at some common questions about the data that many of NIST’s compliance standards were designed to protect – CUI.
The U.S. government defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” That’s a long way of saying that CUI, or Controlled Unclassified Information, is data that while not classified, is still sensitive enough to require protection. This could mean anything from a government contract to plans for an aircraft carrier.
A wide variety of companies can be entrusted with CUI. Generally, government contractors use this type of data, but many companies may have data that falls under the CUI umbrella without realizing it.
CUI is broken into 20 different categories, with these organization and index groupings broken into numerous subcategories. A look at these categories, listed below, may give you greater insight into whether or not your organization deals with CUI.
NIST SP 800-171 is special publication outlining the steps that organizations should take to protect CUI. These protocols should be adopted by any government contractor or subcontractor that uses CUI.
All organizations using CUI must align with the protocols outlined in NIST 800-171. This could mean government agencies, government contractors, and government subcontractors. Whether you realize you’re using CUI or not, you’re still responsible for implementing these compliance standards.
NIST 800-171 regulations were outlined to protect CUI and prevent data breaches that could compromise that CUI. If you fail to implement these cybersecurity protocols, your organization, and you personally, could face serious consequences like five or six-figure fines, and even jail time. Fines this high could cripple your business. You could also face consequences if you work with a subcontractor who fails to comply with NIST standards.
The best way to comply with NIST standards is to familiarize yourself with the different cybersecurity measures outlined in this special publication. NIST organizes compliance steps into 14 different cybersecurity categories:
Each category includes different steps you should take to protect your data. In addition to familiarizing yourself with the publication, you can also adopt a secure file sharing solution, ideally one that offers NIST compliance measures. This type of solution will protect your data with security measures that meet NIST requirements.
This special publication outlines the security measures that should exist in any information solution used by organization housing government data. The goal of NIST 800-53 is to ensure all information solutions housing classified and sensitive data have the appropriate data security measures in place.
While both of these publications share a similar goal of keeping data secure, they provide guidelines focused on two different areas to accomplish that goal. NIST 800-171 focuses on how CUI is handled and the measures that should be in place to ensure it is handled appropriately. NIST 800-53 instead focuses on the information solutions storing classified data and what security measures these solutions should have in place to ensure data is protected.
NIST 800-53 provides an organized list of features information solutions should have and policies that should be in place to ensure data is secure. Similar to the cybersecurity categories outlined in NIST 800-171, these control families offer guidelines organizations can follow to ensure you’re maintaining compliance.
The 18 control families outlined in NIST 800-53 are:
Multiple steps that can be taken and features that should be implemented to ensure the information solutions you’re using are compliant with NIST 800-53 are outlined under each of these control families.
In the same way that reading and becoming familiar with NIST 800-171 can help you comply with that set of regulations, you can use the same strategy when it comes to NIST 800-53 compliance. Before you can meet data security requirements, you have to understand what is required.
It is also your responsibility to choose cloud service providers that meet these requirements. One place to start is with a secure file sharing solution, especially one that complies with both NIST 800-171 and 800-53 policies. You will feel confident that the solution you’re using meets the appropriate security standards and your CUI is adequately protected.
Do you want additional help with your cybersecurity compliance efforts? Download this DFARS checklist now.
Founder of Sharetru (Formerly FTP Today) and a respected voice in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.
Additional content around the benefits of subscribing to this blog feed.