NIST SP 171 and CMMC From Expert CMMC Planning Advisory Perspective

Over the past few years you may have been hearing more about NIST SP 800-171 within your company. If your company is within the DIB (Defense Industrial Base) then you would have heard about this framework since 2010 when President Obama signed Executive Order 13556. This Executive Order mandates that all U.S. federal agencies safeguard CUI (Controlled Unclassified Information) more stringently. The intent was to provide a consistent method of sharing data and harmonzing policy across all agencies.

If you’re new to IT or a veteran techie and your company needs you to understand and implement the controls in the NIST SP 800-171, this article series will assist you in getting a better grasp on the subject. Even if it seems like a lot of information to absorb (and it is), anyone can learn about the core concepts of CMMC and if questioned about a particular control purpose, will be able to respond with great confidence after reading this series!

What is the purpose of NIST SP 800-171 and CMMC Audit?

The sole purpose of NIST SP 800-171 was to standardize how federal agencies can protect CUI. CUI is data that has been deemed private or sensitive but not classified under U.S federal law. CUI would not have anything extreme like codes to enter top secret facilities, but rather private contractual information or technical diagrams that need to be shared with the DIB in order to produce a product.

This framework is the guideline for the DIB to ensure that their cybersecurity controls are maintained at  mandated standards if they store, process, or transmit CUI. This framework applies to any contractor or partner that has a contract with:.

• The Department of Defense (DoD)
• Universities and Research Institutions supported by Federal Grants
• A Federal Agency to supply products that are not intended for public consumption, use, or release.

If any of the above applies to you, then it is safe to assume that there is CUI somewhere within your company and compliance against NIST SP 800-171 is stated within your contract, explicitly or implicitly. Meaning, the proper controls have to be put in place to safeguard it. If your contract has DFARS clause 252.204-7012, then you must be NIST SP 800-171 compliant.

At the end of the day, Non-Federal organizations describe in a System Security Plan (SSP) how the security requirements are met or how the organization plans to meet the requirements and address known and anticipated threats. The system security plan describes the following areas: the authorization boundary; data flow; how security requirements are implemented within the flow; and the relationships with, or connections to, other systems (interconnection agreements). Non Federal organizations develop plans of action & milestones (POA&Ms) that describe how non implemented security controls intend to be met and how any planned controls will be implemented in the future. Organizations can document the SSP and POA&Mas separate, or combined documents, and in any chosen format.

What is CUI?

“Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” To simplify what that means is that it’s information that needs to have a data protection plan in place along with a plan to destroy it, via a NIST approved destruction method, when the time’s right.

Imagine a scale that ranks the level of each security clearance from the highest level being at the top and the lowest being at the bottom. CUI would fit just right at the bottom of that hierarchy scale. As you can imagine, the government is not going to send NSA resources to investigate a breach with a company dealing with CUI, but they will respond with an appropriate level of response, because that information is after all, Not Intended For Public Release.

Now the most common question Ignyte gets asked while working with our clients is “We don’t know what CUI is or what information will be considered CUI, so how do we prepare for it?” To answer this question you simply review your contracts. The government will tell you if there is CUI involved. If you are getting warnings about possible CUI in 2023 when CMMC becomes law, then use these tips to help get a better understanding of the potential CUI you may already have in your possession:.

• If you have a DoD contract, then there will most likely be CUI involved. The contract itself may contain information not intended for public release. Federal Contract Information or FCI, is a classification of CUI.
• If you know there is a DFARS clause in your contract, then there will be CUI.
• Not all ITAR is CUI, but if ITAR has 32 CFR Parts 120-130 stipulated in the contract, then it is CUI
• Not all Export Administration Regulation (EAR) is considered CUI, but if EAR has 15 CFR Parts 730-774 stipulated in the contract, then it is CUI

These are just some guidelines into the complex world of CUI that a trusted advisor like Ignyte, can help you navigate.

Controls, Controls, Controls!

The NIST 800-171 consists of 110 controls that are broken down into 14 control Families that all are specifically focused on Cybersecurity. The list below describes each security control family along with a brief description of what each one focuses on:.

1. Access controls: Who has access to data and whether or not they’re authorized to access it, and how they access it.
2. Awareness and training: Your staff should be adequately trained on the latest CUI handling and processing standards as well as cybersecurity hygiene.
3. Audit and accountability: Know who’s accessing CUI and what actions were performed. This is especially important for privileged user access (e.g., an administrator).
4. Configuration management: Follow established and recognized guidelines to maintain secure configurations (e.g., DISA STIGs, CIS Benchmarks, etc.).
5. Identification and authentication: Manage and audit all instances of CUI access. Who can access CUI, how they are uniquely identified, and what they can do with their access privileges.
6. Incident response: Continuously monitoring your CUI environment and responding to suspected incidents based on an established and tested incident response plan..
7. Maintenance: Ensure ongoing system, network, application, etc., security and t operational maintenance processes are in place and are being managed effectively via change management to safeguard CUI.
8. Media protection: Secure handling of backups, external drives, and backup equipment. This includes media marking based on CUI classifications.
9. Physical protection: Ensuring that only authorized personnel are allowed into physical spaces where CUI resides.
10. Personnel security: Train your staff to identify and prevent security vulnerabilities like insider threat, social engineering and phishing campaigns.
11. Risk assessment: Conduct risk assessments of your CUI environment based on industry standard risk management frameworks (e.g., NIST, ISO, etc.). Risk assessments result in an organizational risk profile that is managed via a risk register or Plan of Action & Milestones (POA&M).
12. Security assessment: consists of controls that protect the organization’s system development lifecycle and allocated resources. This includes development and configuration management controls, developer security testing and evaluation controls (e.g., static application security testing or SAST), and information system documentation controls (e.g., conceptual operations plan).
13. System and communications protection: secure your communication channels and systems so that only authorized transmissions and transfers of CUI are allowed and everything else is denied by default. Additionally, use FIPS 140-2 validated encryption for end to end transmission of CUI internally and externally).
14. System and information integrity: consists of controls for protecting the integrity of the system and its information, such as malicious code protection, security alerts, spam protection, flaw remediation, information system monitoring, and firmware and software integrity (e.g., penetration testing, vulnerability scans, etc.).

When you combine all 110 controls you essentially have a framework designed for the safeguarding and dissemination of CUI securely to meet today’s modern cyber security practices and regulations (e.g., the Cybersecurity Maturity Model Certification or CMMC).

How to get ready and How do I Implement NIST SP 800-171 Compliance Tooling?

In order to find out if you are NIST SP 800-171 compliant, you will need to hire a certified entity (e.g., Certified Third Party Assessment Organization or C3PAO) and pass an audit conducted by them. To pass this audit you will need to prepare for the necessary steps. Now it may seem daunting, but the process doesn’t need to be overly complex or time-consuming. Just remember to Keep It Simple! Here is a list to summarize what you should do to prepare.

• Identify your Scope: Find out what CUI may be in scope by reviewing your contracts. Documenting where CUI resides, who has access to it, where (and on what) it is transmitted, stored, and processed is the critical first step.
• Get your documentation all nice and neat: You’ll need to have documentation of all 110 controls that are in place in order to pass the audit. This is typically captured in a system security plan (SSP).
• Find the gaps in your controls: Perform an assessment against the set of NIST SP 800-171 controls and document what controls your organization is missing. .
• Plan and Remediate: Add the above documented “gaps” to your risk register, or POA&M, and start  addressing them based on risk and priority.
• Audit trail evidence: Identify the audit requirements you’ll be addressing based upon the 14 NIST 800-171 criteria as described above. And as you make changes towards compliance, you’ll want to produce audit-trail evidence validating what you’ve done.
• Submit your Score: If you already have existing contracts with the DoD then you are listed within the supplier Performance Risk System (SPRS) and have registered within the Procurement Integrated Enterprise Environment (PIEE). If not, you need to do so. As part of the new CMMC regulation you must complete a self assessment of your compliance to the NIST SP 800-171 controls and submit your scores so that they are reflected within the SPRS.

I believe I’m ready for an audit, now what?

This is a great question to ask prior to engaging a certified third party assessment organization (C3PAO) to perform your audit. Being compliant with the CMMC regulation ensures that you can continue to do business with the DoD and even pursue new opportunities, by demonstrating your cybersecurity posture for the protection of CUI. So, before engaging an auditor, test to make sure your controls are effective and implemented as intended by NIST SP 800-171.

One of the most effective ways to do this is to engage a trusted advisor who has experience and expertise in audit processes and examination of control environments. A pre-audit assessment enables you to go through the “audit process” without an authoritative report being completed. Areas that need to be addressed can be added to your POA&M, risk rated, and planned appropriately for completion. The assessment also prepares your organization and staff for the rigor of the audit process and the level of scrutiny needed to pass the actual audit.

This is where Ignyte can assist your organization in your compliance journey. Our experience and expertise has assisted hundreds of clients in addressing their audit and regulatory requirements. With their own compliance software platform, they can help the most distressed IT team to even a fully matured one reach their best capabilities.

Now that you have prepared for the audit, and decided on a trusted advisor you still may have questions about the NIST SP 800-171 like what is a good NIST score? The highest score possible for a NIST SP 800-171 DoD assessment is 110 and the lowest possible is -203. So ideally you want to have your score as close to 110 as possible. This NIST score is a reflection of your compliance with NIST SP 800-171 and your current security posture. What is deemed good will have to align with your contract. There are contracts that REQUIRE your NIST score to be 110, and there are some that don’t, so, it is important to know which ones do.