March 13, 2019

    6 Steps to Implement NIST 800-171 Requirements

    Has your company taken steps to be compliant with NIST 800-171 regulations? December 31, 2017 was the deadline for companies to be compliant and implement NIST 800-171 requirements. However, many companies may have missed the deadline or have only met some of the compliance requirements, but not all.

    Before you can be NIST 800-171 compliant, you need to know more about the goals of this regulation, what it pertains to, and what steps you should take to comply with these regulations.

    First, it’s important to know what NIST 800-171 is. This is a set of government regulations designed to keep controlled unclassified information (CUI) secure. CUI is any unclassified, but sensitive, information from the U.S. government. This information is shared with government agencies, government contractors, and subcontractors, and it could include anything from financial information to product patents.

    Why is it important to protect this data and implement NIST 800-171 requirements? CUI can be a valuable prize for hackers, and companies that NIST 800-171 applies to can be common prey for data breaches. If your company experiences a data breach and is noncompliant with NIST 800-171 regulations, you could be subject to serious noncompliance fines that could reach into the millions of dollars. If you want to avoid these risks, you need to take action to comply with NIST 800-171 guidelines for data security.

    Below are six steps you can take to ensure that your CUI is protected and your organization has adequately implemented NIST 800-171 requirements.


    1. Locate and Identify CUI

    The first step toward implementing NIST 800-171 requirements is identifying which systems and solutions in your network store or transfer CUI. When you identify these systems, you can focus specific attention on their security. Which systems could hold CUI? While the answer could vary from company to company, there are a variety of places CUI could be stored, including:

    • Local Storage Solutions

    • Cloud Storage Solutions

    • Endpoints

    • Portable Hard Drives or Devices


    2. Categorize CUI

    Once you’ve located the systems and solutions in which CUI is stored, you should split the data into two categories – data that falls under the umbrella of controlled unclassified information and data that does not. While it’s important to keep all your data secure, you may want to streamline how you implement NIST 800-171 requirements by protecting the most sensitive data first. In the event of an audit, it’s most important that CUI is protected and you’re able to demonstrate that you have done so. You can always return to your data security efforts later to implement measures that protect all data, not just CUI alone. By categorizing your data, you can limit the amount of time and effort required to secure CUI.


    3. Implement Required Controls

    After locating and separating CUI from your other, non-sensitive data, you’re ready to implement the controls needed to encrypt all files, both in transit or at rest. Encrypting data helps you align with NIST 800-171 standards mandating that CUI is protected, and these required controls work to keep unauthorized users at bay. Be sure to encrypt CUI wherever it is stored, especially on your file sharing and storage solutions, and your local hard drives.

    It’s also important that you use solutions that provide controls to prevent unauthorized users from accessing CUI. For example, a secure file sharing solution give administrators the power to control who can import, export, edit, and delete files. This ensures you’re controlling CUI access.


    4. Train Your Employees

    Now that you have controls in place to provide data protection, it’s important that your employees are fully trained on how to use and transfer CUI in a way that aligns with NIST 800-171 standards. Because your employees are the ones sending and receiving CUI each day, it’s imperative that they’re aware of how to securely share and store data.

    Also, training should not be a one-time practice when you implement NIST 800-171 requirements. Some companies may inform employees about compliance regulations when they are hired, but fail to revisit these regulations in the future. In the event of an audit excuses like “I forgot” or “I didn’t know” won’t help you avoid a fine. Regularly communicate to your employees any changes to your compliance processes, and remind them of the processes they should be aligning with currently.


    5. Monitor Your Data

    Implementing NIST 800-171 requirements and training your employees is only the first step. You also need to monitor who is accessing your CUI and for what purpose. You need to adopt a solution that has the ability to record all user activities. To be NIST 800-171 compliant, you should ensure that every action can be traced back to an individual user. Task administrators with overseeing the monitoring process, and create procedures around monitoring that work best for your business.


    6. Assess Your Systems and Processes

    Finally, when you implement NIST 800-171 requirements, you should conduct a security assessment, looking closely at all your systems and processes to identify the potential for noncompliance risk. This assessment should be done on a regular basis, either quarterly or annually, to ensure that current processes will continue to protect CUI.

    For example, if your company grows or you adopt a new solution, you should assess how these changes will impact your data security processes and policies. Also, as hackers develop more sophisticated methods of data theft each day, you will need to update your security measures to keep up with new threats.

    Using these steps, you can ensure that both your systems and your business processes are compliant with NIST 800-171, protecting your CUI and mitigating the risks of noncompliance fines. One last step is an important one to consider: adopt a file sharing solution that aligns with NIST 800-171 compliance mandates.

    While you could do all the work to keep your CUI secure and implement NIST 800-171 requirements yourself, using a compliant file sharing solution can significantly cut down on the amount of work you have to do to be in compliance with NIST 800-171. The file sharing vendor, an expert in compliant file sharing, provides a solution that is tailored to the needs of your organization. You have a secure place to store CUI and secure means of transferring that data to others. Instead of building a solution yourself or cobbling file sharing processes together using multiple solutions and security measures that lack uniformity, you can use a single solution to encrypt all of your data, whether it falls into the CUI category or not.

    As you evaluate different file sharing solutions for your organization, remember to make sure that the solution you choose is NIST 800-171 compliant. This will provide your organization with the most secure methods for sharing and storing CUI, and your implementation of NIST 800-171 requirements are sure to be successful.

    For government contractors it’s imperative that you align with DFARS regulations. Download this free guide outlining how to comply with DFARS.

    Tag(s): Government

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts