A Complete NIST Compliance Checklist

A company’s security measures are essential for protecting its environment. Having a company with an unsecure network provokes fear that its data can be breached at any moment.

Even with the recent spike of data volume, many organizations still don't implement cybersecurity measures. Long term problems are bound to occur when one fails to adhere to proper compliance standards.

When an organization becomes aligned with the National Institute of Standards and Technology (NIST), security measures begin to operate with high function. NIST is a guideline structure that all companies who conduct business with the government must follow. 

NIST 800-171 Compliance Checklist

The most common NIST checklist to follow is classified under NIST 800- 171. The main focus of this structure is to verify all systems that come into effect and make sure they're protected under the CUI plan.

CUI is information that is not categorized as, "classified." When federal agencies need to address vast amounts of unclassified information processed by service providers, CUI becomes critical. 

Nist 800- 171 handles information from federal agencies and organizations that they share information with. It acts as a guide to guarantee that Controlled Unclassified Information is protected when used in non-federal information systems. This particular sector of a long-standing NIST framework came into effect January 1st, 2018.

Nist Controls

NIST 800-171 is composed of 109 controls tailored by NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.

These controls are spread out into 14 families of requirements:

Access control, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

NIST 800-171 plays a role when there is no governed law that addresses how federal government CUI should be protected. In addition, NIST functions in unison with other security regulations, such as the Federal Information Security Management Act of 2014 (FISMA). FISMA is a higher priority of compliance, and NIST is meant to support FISMA.

How to Become NIST Compliant
 

How can companies working with federal agencies become NIST 800-171 compliant? Here are a few ways:

Discover CUI

Organizations must first know whether or not they have CUI, if they are using it, and where it's saved. This allows for an easy audit of a company’s systems from their employees to 3rd party contractors.

Organizing areas of Data Loss Prevention solutions allow businesses to analyze networks from specific file types and compliance profiles for standards such as NIST 800-171.

Organize Your Data

After CUI is diagnosed, it must be separated into categories. There are twenty approved CUI categories under NIST 800-171, including defense and privacy. Each category has a separate set of standards for compliance, making organizing these parts of your network critical.

Operate a Security Assessment

All organizations have different security needs. This is based on their size, data storage, current security measures and many other factors.

The first step to designing a new security strategy is to assess existing security measures. By doing this analysis, a company discovers the strength of its existing policies, can plan defenses for current vulnerabilities, and implement efficient financial decisions when developing new strategies.

Install and Analyze Baseline Controls

Baseline controls are the groundwork for which companies build their NIST compliance efforts on. These controls cover all 14 control families listed in NIST 800-171 to be compliant.

Baseline controls center on security from outside threats. Tools like Endpoint Protection, Microsoft 365 email and password security, as well as recovery options cover this security framework.

After controls have been outlined, they need to be tested for effective operation. This testing is meant to assess potential blind spots that may leave room for a data breach.

Scheduled Risk Assessments

For ongoing compliance, companies should conduct regular risk assessments to verify its CUI is protected against new, emerging threats. When problems arise, organizations must take steps to solve them.

The environment is constantly inventing new ways to breach into and hack data. Security testing must be sustained with a level of diligence to counter this. 

Documentation

Companies must show proof of their willingness to comply with NIST 800-171 requirements through documentation. This is important in the case of a data breach. Obtaining the right evidence that the event didn’t occur due to neglected security efforts will be valuable in reducing and waiving fees in case of a breach.

Breach Response Plan

NIST 800-171 compliance provides a solid starting point for a company’s network. Although you may have a strong security network, cybersecurity strategy is constantly evolving.

New attack methods can exploit a company before policies have a chance to be updated. For this reason, response plans are a valuable part of any data protection strategy.

A data breach response means that in case a security incident occurs, organizations are ready to effectively address it in the shortest amount of time possible.

Establish an Awareness

After a security plan is implemented, companies must ensure that employees understand NIST 800-171 compliance requirements.

Organizations need to inform their personnel about the importance of following security rules and the consequences of non-compliance. It's crucial to explain the policies that are most applicable to their department and detail any policy changes to the employees.

Checklist of NIST 800- 171

• Access Control
• Awareness and Training
• Auditing and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communication Protection
• System and Information Integrity
  
  

NIST Cyber Security Framework (CSF)

NIST began a new sector called Cybersecurity Framework (CSF) under the Cybersecurity Enhancement Act of 2014. Cybersecurity Framework defends against threats and supports businesses. The main users of CSF are U.S. private-sector owners and operators of critical infrastructure. The user base continues to expand out to communities.

Read here for more info on CSF to understand its impact on NIST Compliance. 

Is NIST Compliance Mandatory?

All agencies handling government data must be NIST-compliant. Here are a few examples: 

• Government staffing firms
• Academic institutions
• Manufacturers that sell to the government or federal resellers
• Consulting companies
• Service providers

NIST SP 800-53 Compliance Checklist

NIST Special Publication (SP) 800-53 establishes the best practices for implementing secure information systems to protect its data.

Published in 2005 to assist government agencies with FISMA (Federal Information Security Modernization Act), the publication has gone through several revisions over the years. NIST language can be applied to any organization that wants to strengthen its security protocols. 

NIST 800-53 helps organizations bump their risk management processes by providing them with a catalog of more than 1,000 guidelines and protocols as a resource. When these guidelines are in place, consequences are mitigated in the event of an active breach. 

800-53 Control Families

NIST SP 800-53 is an earlier version of NIST’s program 800-171, as previously described. 800-53 is a list of security protocols that helps safeguard information systems from a wide array of risks. These protocols are segmented into 20 different control families.

To stay compliant with NIST SP 800-53, these control groups are the most important to understand:

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Assessment, Authorization, and Monitoring (CA)
• Configuration Management (CM)
• Contingency Planning (CP)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical and Environmental Protection (PE)
• Planning (PL)
• Program Management (PM)
• Personnel Security (PS)
• Personally Identifiable Information Processing and Transparency (PT)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
• Supply Chain Risk Management (SR)
  
  

Apply Minimum Controls

Each family in the 20 NIST 800-53 control families are applied through baseline controls. These are the basic security and privacy measures that must be implemented to protect information systems. 

Applying minimum controls will help an organization meet requirements of that specific control family. 

You can view, search, and download the controls directly from the NIST website.

NIST 800-171 Compliance

CUI is information created or owned by the government that is sensitive, but not classified. NIST 800-53 standards provide a roadmap of security to agencies as they implement information security systems that protect government information.

Compliance is mandatory for all federal information systems, except those related to national security. Its main priority is to protect against a variety of threats through a catalog of privacy and security controls.

NIST Compliance Requirements are the standards an organization must follow. The right protocol will depend on which NIST standards the organization is implementing.

Cybersecurity Framework and subsequent NIST standards all provide clear steps to follow, in order to create the security programs and controls that will ensure data security.
   

NIST Compliance with Datalink Networks

Building a foundation of security begins with compliance through NIST. It's essential for securing any cyber environment. The structures of NIST that apply most to companies are 800-171, 800-53 and Cybersecurity Framework (CSF).

Datalink Networks' team of compliance experts can ensure your business is up to date on the latest compliance standards. We specialize in NIST, ISO 27001, CCPA, HIPAA, GDPR, SOCII and DFARS.

To ensure that your business is compliant, Datalink Networks will conduct a security audit as a complementary service.  Our team of experts evaluate your IT processes, digging up areas that are often kept in the dark.  

After this evaluation, our team provides a strategic roadmap that best fits your needs. Accomplish all information security requirements along with finding the vulnerabilities within your infrastructure.

Contact us today for a complementary audit.