COMMONLY ASKED QUESTIONS – NIST 800-171

COMMONLY ASKED QUESTIONS – NIST 800-171

Welcome back! We hope our Basic Guide to NIST 800-171 helped you understand what NIST 800-171 is, how it came about and why it is required.

In a bid to safeguard your organization from unwarranted cyberattacks and security breaches, it is important for you to be NIST SP 800-171 compliant. All organizations that store and process unclassified and sensitive US government information need to be compliant with this set of security guidelines. When the cybersecurity requirements for contractors who manage and deal with sensitive government details are specified, it establishes the security of the entire federal supply chain. Implementing this set of guidelines, however, often leaves organizations with many questions. Here are a few questions surrounding NIST SP 800-171 that we’ve addressed.

WHO HAS TO FOLLOW NIST 800-171 GUIDELINES?

This framework right now is directed at those in the DIB who are servicing the DOD.  They can be providers of all types including healthcare providers but its intent was to limit cyber attacks of companies who are servicing the defense department. In order to function smoothly, US government departments depend on various service providers and external organizations. One of the most important functions of these service providers involves storing and processing sensitive information on the IT networks of various contractors. These external organizations that manage and send Controlled Unclassified Information (CUI) on behalf of the US government have to follow NIST 800-171 in order to ensure sensitive information does not get leaked or fall prey to cybercriminals. Healthcare data processors, defence contractors and organizations that offer financial services make up a part of the organizations that deal with sensitive data.

System integrators, web and communication service providers, laboratories as well as research institutes that obtain federal grants and information also need to comply with NIST 800-171. Universities and colleges that make use of federal data are institutions that also need to adhere to these guidelines. Providers of all types including healthcare providers are also required to comply, but its intent was to limit cyber attacks of companies who are servicing the defense department.

THE CHECKLIST TO FOLLOW WHEN APPLYING FOR NIST 800-171

Your organization has to follow a self-assessment process to be NIST 800-171 compliant. To obtain compliance, there are 110 controls and requirements. This can seem like a tedious task to complete but when you know what is required for the NIST 800-171 self-assessment, proceedings become easy.

First, you need to obtain insight from senior information security stakeholders and put together an assessment team. The team needs to structure an assessment plan specifying aims and a timeframe. You then have to focus on starting an internal communication campaign to create awareness about the project. Once awareness is created, make a contact list of personnel and the responsibilities they successfully accomplish. This includes information security specialists and system administrators.

Once you make a contact list, gather the required documents needed. This encompasses system records and manuals, admin guidance documents, the security policies that currently exist, previous audit logs and results as well as system architecture documents. Examine individual controls and requirements in the NIST 800-171 document. After completing the assessment, record a statement for each of the requirements. Put together a plan of action showcasing the manner in which the pending requirements are going to be achieved. Lastly, put all of the evidence for compliance into a System Security Plan (SSP) document.

STEPS TO SUCCESSFULLY IMPLEMENT NIST 800-171 REQUIREMENTS

The first step involves finding and recognizing the systems that collect or transfer CUI. You can find CUI stored in cloud storage solutions, local storage solutions, portable hard drives or devices and Endpoints. The next step involves sorting CUI into categories. It is wise to divide your CUI into two categories. This involves data that falls under controlled unclassified information and data that does not. Categorizing makes protecting your most sensitive data a priority so, in case of an audit, you can show that you have safeguarded CUI.

The next step involves implementing the required controls to encrypt files that are in transit as well as not in transit. This makes it easier to line up with NIST 800-171 requirements which in turn, safeguards CUI and ensures attackers and unauthorized users are kept away. Following this, training your employees to utilize, store and share CUI in a manner that aligns with the required standards is essential. Make sure you are also keeping a watch on who is accessing your data and systems and what is their aim for doing so. Once implementation is complete, carry out an assessment that helps you understand the effectiveness of your security. When you complete this assessment, you obtain a better understanding of your existing procedures and whether you are safeguarding your files in a desirable manner or not. You can explore SureShield’s ComplyShield for a more comprehensive solution to minimize financial risk and address compliance issues. For more information and the latest updates on cybersecurity, follow us on Twitter and Linkedin.

Our Whitepapers

GET THE PLAYBOOK FOR CORPORATE COMPLIANCE IN HEALTHCARE

Your step-by-step guide to achieving Healthcare Compliance and Data Risk Security.

DOWNLOAD NOW