Find the Best Technology Mix for NIST 800-171 Compliance

Posted by: Mary Pat Simmons June 20, 2017 Compliance

Most organizations subject to NIST 800-171 requirements are well aware of them by now, and are working to be prepared. We will dig into more advanced topics about the standards in a later blog post. But for those just getting started, it might be helpful to start from the beginning.

So, why is all of this even necessary? What’s the best way to be ready? What technology is best?

First, let’s talk about why the NIST 800-171 requirement even exists. It’s all about compartmentalization of information. Think about the old adage, “Loose lips sink ships” – sharing or stealing information can lead to tremendous losses.

This risk resulted in the creation of different security classifications. Information that could cause damage by itself is classified “Secret/Top Secret” and must remain under the government’s control and on their systems at all times.

Now, however, we face increased threats of data loss and leakage. We recognize that even small pieces of information (quite literal when working with our manufacturing partners), need to be protected at all times.

NIST 800-171 focuses on this important, but not Top Secret, additional content, called Covered Defense Information (CDI). The controls required for CDI are similar, but they are focused on any contractor or subcontractor working to support the US Defense Department. Here are the 14 families of controls listed in the full NIST 800-171 publication:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical Protection
  • Personnel Security
  • Risk Assessment
  • Security Assessment
  • System & Information Integrity
  • System & Communications Protection


You probably have some of these areas covered within your current IT infrastructure, but we’ve seen organizations who are still working, after the warning in 2015 stating a December 2017 deadline, on implementing all of the controls.

In truth, you could build manual processes for all of these areas, but I’m not sure that having an employee manually add and remove permissions to contractors, suppliers, and customers is very efficient. And smaller subcontractors with only a few employees have no reasonable capability to support all of the maintenance required for technology solutions.

Each of the 14 families falls into one of three areas, each with different technologies required:

Protect your content
There are both physical and digital requirements to protect CDI content. While a lock provides security, you need a whole system if you want to know who locked and unlocked the door, and when it happened. The same principle applies when accessing infrastructure or productivity software. You can control access to systems and software with out-of-the-box capabilities, but you also must be able to audit and report access.

Luckily, there are many great physical and software monitoring solutions available. It is also possible to rely on a hosted or cloud solution which already has the physical and digital protections applied to their environment.

Know your users
It is no longer ok to just create a user name and password combination on your internal network. To truly know who your user is you must have a qualification process to access the information, and always require a second factor for authentication.

Depending on the sensitivity of content, the second factor may be a pin sent to a phone or a piece of hardware with a built-in security token. You can add on identity providers to your own network. Or, you can set up a completely separate authentication provider to allow for user management.

Track everything
Bottom line, to meet NIST 800-171 compliance controls, it’s not good enough to protect physical and digital access to content, or even to just know who your users are. Instead, you must be able to audit and report on each action that an individual takes. Fortunately, this data is not needed every day, but incidents do happen.

Typically there are separate systems that monitor physical access, infrastructure, and software performance. Then there are systems that correlate all of this data, but it’s an investment to purchase and configure each level of data collection. In addition a key clause within NIST 800-171 that requires a distinct incident response process. You must not only to gather all the data, but also interpret it and send it to the appropriate authorities quickly.

Are you ready?
Ready or not, the deadline is approaching. You can take a piecemeal approach, cobbling together different technologies to fit the gaps in your IT infrastructure. Or, you can trust solution providers like Exostar to provide the base level solution for you to rapidly meet control requirements.

It’s a big decision because it is a big risk: non-compliance means not being able to support government contracts. Which technologies will you trust to protect your business endeavors and keep you compliant?

Exostar customers are ahead of the game when it comes to NIST 800-171. You can learn more by downloading the replay of our webinar, Best Practices in Managing Supplier Compliance to NIST 800-171.