What is the best thing to be working on in 2024 if you are a contractor who handles or stores CUI? Working on compliance with NIST SP 800-171. How do you become NIST 800-171 compliant? 

NIST 800-171 Compliance

Compliance with NIST 800-171 r2 involves successfully meeting all of the requirements. There is also a self-assessment whereby companies as of now are expected to accurately report their compliance score to the SPRS database. 

How Many Controls Are There?

As you prepare for your compliance journey, it is important to know there are 110 controls in the standard. These are divided into fourteen families:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

You might be thinking some of these are similar to ISO 27001, and you would be correct about that. There are several parallels between the standards in terms of approach and structure. However, ISO 27001 focuses on information management while NIST 800-171 is focused on the protection of Controlled Unclassified Information (CUI).

NIST 800-171 Assessment

Assessing where your company is in terms of compliance is an important step to take before investing in an assessment. Do not be shy about contacting two C3PAOs (CMMC Third Party Assessment Organizations), one to help you prepare and another to do the actual assessment.

NIST makes available a spreadsheet outlining assessment procedures, and what it reveals is that no two companies are likely going to have the same compliance experience. For example, your assessment may reveal that your company needs to significantly increase employee training in CUI protection and proper handling. Another company, however, may need to address physical security and access concerns that could require an overhaul of how employees work. Some companies may find that becoming NIST 800-171 compliant will require large investments while others may already have a solid infrastructure in place that will not necessitate those expenses.
 

ISO 9001 and ISO 27001 Can Help You Toward NIST SP 800-171 Compliance

Although each of these standards covers different niches, a company can get a good start on the NIST 800-171 journey if they are ISO certified.

The ISO 9001 is an overarching quality management system standard. Among other benefits, this certification will help ensure the company’s management is fully engaged, which is necessary for NIST 800-171 compliance.

ISO 27001 builds in ISO 9001 with the information security management systems structure (ISMS). As was mentioned previously, information security should not be confused with CUI, but earning an ISO 27001 certification will cover a lot of controls under the NIST 800-171 umbrella.

If you have any questions about your organization's current ability to comply with NIST 800-171, schedule a meeting today to talk to one of our cybersecurity experts.