Credential Stuffing and NIST SP 800-171

Credential Stuffing and NIST SP 800-171

Businesses face a growing number of vulnerabilities and adversarial tactics aimed at compromising the information they hold dear. The data entrusted to organizations in support of government contracts is of great value to those with malicious intent. While compliance with NIST SP 800-171 may be compulsory for your government contract, it also supports business goals for operational security and risk management.

What is Credential Stuffing?

Credential stuffing is an attack paradigm that capitalizes on the fallibility of people. We all have an ever-increasing collection of online accounts and access credentials. As this number grows, our ability to keep track of them dwindles. What attackers have found is that a majority of users will use the same account name and password on multiple sites to make it easier to log in to them. Another contributing factor are the many compromises of user and password information that have happened in recent years, creating a massive database of username and password combinations. From these resources, attackers attempt to use credentials from one site, perhaps an old Yahoo account, on a business account, like a business email or file sharing service. And then, much too often, an unauthorized entity gains access to information they shouldn’t be allowed to see.

Preventing compromise by following NIST SP 800-171 recommendations

There are certainly a number of operational security policies to help mitigate the threat of credential stuffing attacks. User cybersecurity awareness training and organization-wide use of password management systems are two. Also, multi-factor authentication (MFA) solutions go a long way. Multi-factor authentication adds an additional verification item to the username and password combination. This addition is ‘something you have’ such as a security token or one-time code. MFA features prominently in the National Institute for Standards and Technology Special Publication 800-171 control families for Identification and Authentication, and also Maintenance. While not directly required in the NIST guidelines, implementing MFA as often as possible, for as many services as possible, simply makes your business operations more secure. Most social media services now offer the option for MFA, as well as major file sharing and financial services. The point being, even if an employee neglects those account and password best practices, MFA adds that extra control that may be the difference between compromise and protection.

Assured Bridge and MFA

Assured Bridge’s services utilize multi-factor authentication to ensure protection for customer and client access to provided services and your valuable information. Our own Devops, administration and maintenance teams use MFA as well, to ensure the underlying infrastructure and support services are secured and protected. If your business operations include government requirements for protection of controlled unclassified information (CUI), or protection of other compliance-regulated data, fill out our contact form, send an email or give us a call. We’re available to help ensure your compliance and security objectives are met.

Referenced Information:

NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Assured Bridge

Dan bjorklund - cyber security specialist

Daniel Bjorklund


With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner, mentor and innovator. He serves as a principal vCISO at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. He is also active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in Information Technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.

Search our Blog
Subscribe to our Newsletter
We’ve got a lot of good info to share! Sign up for the Assured Bridge newsletter and receive tips on how to remain compliant with Federal CUI standards.