August 14, 2019

    The Most Common FAQs on NIST 800-171 and NIST 800-53

    NIST 800-171 and NIST 800-53 are two key publications outlining cybersecurity requirements for government agencies, contractors, and subcontractors. However, figuring out how to comply with the guidelines recommended in these long publications from the National Institute of Standards and Technology can be overwhelming. It’s no surprise that many people have questions about what these publications are and what cybersecurity measures they recommend.

    We’ll get to some commonly asked questions about NIST 800-171 and NIST 800-53. But first, let’s look at some common questions about the data that many of NIST’s compliance standards were designed to protect – CUI.

    FAQs about CUI (Controlled Unclassified Information)

    What is CUI?

    The U.S. government defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” That’s a long way of saying that CUI, or Controlled Unclassified Information, is data that while not classified, is still sensitive enough to require protection. This could mean anything from a government contract to plans for an aircraft carrier.

    Who uses CUI?

    A wide variety of companies can be entrusted with CUI. Generally, government contractors use this type of data, but many companies may have data that falls under the CUI umbrella without realizing it.

    What types of CUI exist?

    CUI is broken into 20 different categories, with these organization and index groupings broken into numerous subcategories. A look at these categories, listed below, may give you greater insight into whether or not your organization deals with CUI.

    • Critical Infrastructure
    • Defense
    • Export Control
    • Financial
    • Immigration
    • Intelligence
    • International Agreements
    • Law Enforcement
    • Legal
    • Natural and Cultural Resources
    • North Atlantic Treaty Organization (NATO)
    • Nuclear
    • Patent
    • Privacy
    • Procurement and Acquisition
    • Proprietary Business Information
    • Provisional
    • Statistical
    • Tax
    • Transportation

    FAQs about NIST SP 800-171

    What is NIST 800-171?

    NIST SP 800-171 is special publication outlining the steps that organizations should take to protect CUI. These protocols should be adopted by any government contractor or subcontractor that uses CUI. 

    Who must comply with NIST 800-171?

    All organizations using CUI must align with the protocols outlined in NIST 800-171. This could mean government agencies, government contractors, and government subcontractors. Whether you realize you’re using CUI or not, you’re still responsible for implementing these compliance standards. 

    What happens if you don’t comply with NIST 800-171?

    NIST 800-171 regulations were outlined to protect CUI and prevent data breaches that could compromise that CUI. If you fail to implement these cybersecurity protocols, your organization, and you personally, could face serious consequences like five or six-figure fines, and even jail time. Fines this high could cripple your business. You could also face consequences if you work with a subcontractor who fails to comply with NIST standards

    How do you comply with NIST 800-171?

    The best way to comply with NIST standards is to familiarize yourself with the different cybersecurity measures outlined in this special publication. NIST organizes compliance steps into 14 different cybersecurity categories:

    • Access Control
    • Audit and Accountability  
    • Awareness and Training 
    • Configuration Management  
    • Identification and Authentication 
    • Incident Response 
    • Maintenance  
    • Media Protection  
    • Personnel Security 
    • Physical Protection 
    • Risk Assessment 
    • Security Assessment  
    • System and Communications Protection 
    • System and Information Integrity 

    Each category includes different steps you should take to protect your data. In addition to familiarizing yourself with the publication, you can also adopt a secure file sharing solution, ideally one that offers NIST compliance measures. This type of solution will protect your data with security measures that meet NIST requirements.

    FAQs about NIST SP 800-53

    What is NIST SP 800-53? 

    This special publication outlines the security measures that should exist in any information solution used by organization housing government data. The goal of NIST 800-53 is to ensure all information solutions housing classified and sensitive data have the appropriate data security measures in place. 

    How do NIST 800-171 and NIST 800-53 differ?

    While both of these publications share a similar goal of keeping data secure, they provide guidelines focused on two different areas to accomplish that goal. NIST 800-171 focuses on how CUI is handled and the measures that should be in place to ensure it is handled appropriately. NIST 800-53 instead focuses on the information solutions storing classified data and what security measures these solutions should have in place to ensure data is protected. 

    What are the NIST 800-53 control families?

    NIST 800-53 provides an organized list of features information solutions should have and policies that should be in place to ensure data is secure. Similar to the cybersecurity categories outlined in NIST 800-171, these control families offer guidelines organizations can follow to ensure you’re maintaining compliance.

    The 18 control families outlined in NIST 800-53 are:

    • Access Control
    • Audit and Accountability
    • Awareness and Training
    • Configuration Management
    • Contingency Planning
    • Identification and Authentication
    • Incident Response
    • Maintenance
    • Media Protection
    • Personnel Security
    • Physical and Environmental Protection
    • Planning
    • Program Management
    • Risk Assessment
    • Security Assessment and Authorization
    • System and Communications Protection
    • System and Information Integrity
    • System and Services Acquisition

    Multiple steps that can be taken and features that should be implemented to ensure the information solutions you’re using are compliant with NIST 800-53 are outlined under each of these control families. 

    How can you comply with NIST 800-53?

    In the same way that reading and becoming familiar with NIST 800-171 can help you comply with that set of regulations, you can use the same strategy when it comes to NIST 800-53 compliance. Before you can meet data security requirements, you have to understand what is required.

    It is also your responsibility to choose cloud service providers that meet these requirements. One place to start is with a secure file sharing solution, especially one that complies with both NIST 800-171 and 800-53 policies. You will feel confident that the solution you’re using meets the appropriate security standards and your CUI is adequately protected. 

    Do you want additional help with your cybersecurity compliance efforts? Download this DFARS checklist now.

    Tag(s): Government

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts