Posted on

NIST SP 800-171 Control Families – Overview

NIST SP 800-171 Control Families Overview

For non-governmental organizations that do, or hope to do, business with the U.S. government, careful consideration must be given to whether controlled unclassified information is part of the specified contract work. Controlled unclassified information (CUI) is sensitive in nature and is restricted from public distribution. This is not classified information, rather products or by-products of contract government work that has been deemed to deserve additional protections.

The protections required are outlined in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. A link to this publication is included at the end of this article. The security controls to protect CUI are grouped into families. There are fourteen families, compromising just over 100 individual control measures. This article serves as a brief introduction to the control families. We’ll further explore each family and some of the specific security requirements in later articles.

Control families and a brief explanation of their purposes:

Access Control

            Ensuring only those personnel, accounts and system processes that require access to CUI have such access. Ensuring CUI is not released or exposed to those not approved to receive it. Often, we think of this as an information technology issue. However, protection of CUI hardcopy documents, prototypes and other artifacts may require physical security application as well.

Awareness and Training

            Provide appropriate training and skills to those charged with the protection of CUI. Should include periodic cybersecurity awareness training and also includes system administrator, maintenance and even programming skills to those responsible for handling CUI.

Audit and Accountability

            The contractor must know what CUI information is maintained, where it is stored and processed, and by whom, when and where it is handled. Software, system and data inventories assist in accountability. System, event and access logs help to meet the audit requirements. Again, physical artifacts may require manual measures.

Configuration Management

            Each component and process of an IT system has a configuration that dictates how it operates. By standardizing and managing configurations, systems and software should perform in definable and measurable ways.

Identification and Authentication

            Employ measures that ensure authorized access is achieved only by those whose identities are confirmed and approved. These controls must be robust enough that they are not easily spoofed or faked, especially in remote access scenarios.

Incident Response

            In this day and age, a compromise or breach of some degree is inevitable, that’s the world we now live in. Creating and practicing a response plan helps to ensure the business can recover and resume operations.

Maintenance

            Hardware, firmware and software components of IT systems must be kept up-to-date to ensure vulnerabilities are addressed, holes patched, and subsystems keep functioning.

Media Protection

            Create policies for how physical media is handled, stored and transported. It must be labeled and protected from unauthorized access.

Personnel Security

            Systems and data are only as secure as the personnel with access to them. Ensure employees, contractors and vendors are properly vetted, authorized and approved.

Physical Protection

            Systems that contain CUI may be prone to theft or damage. Protections for portable workstations, laptops and mobile devices are critical, as well as appropriate security for servers and data storage areas.

Risk Assessment

            Periodically evaluate the risks to personnel, systems and information and review control measures for adequacy.

Security Assessment

            Periodically test and review security control measures, both logical and physical to verify they meet objectives; refine and update as needed.

System and Communications Protection

            Further measures to protect CUI data from unauthorized exposure; encryption is an important consideration.

System and Information Integrity

            Making sure systems and the data and information they process is trustworthy and has not been maliciously or accidentally altered.

In reviewing the above families of controls, it is evident that achieving and maintaining compliance is business effort, not just something for the IT team. Some controls require policy development while others are IT configurations; some are physical processes while other may be automated. All, however, require a plan and constant, cognizant oversight.

In future articles, we’ll delve into each of the control families and explore options for how they might be met.

Assured Bridge

Assured Bridge offers services and solutions to help small businesses meet their security and compliance objectives. Whether you need a fully compliant environment, or a trusted expert partner to advise and consult, we’re available to help.

Reference Links:

Assured Bridge

National Institute for Science and Technology Special Publication 800-171 Rev1

Certified Information System Security Professional Daniel Bjorklund is the information assurance and cybersecurity subject matter expert for Assured Bridge LLC, a company specializing in cybersecurity compliance solutions. With over 20 years’ experience in U.S. military intelligence and security operations, plus significant involvement in government, commercial and private sector cybersecurity initiatives, Dan has comprehensive knowledge of today’s rapidly-evolving cyber-dependent world. A recently-licensed pilot and amateur radio operator, Dan lives with his wife in South Carolina.
Dan can be found on LinkedIn (https://www.linkedin.com/in/dbjorklundcissp/) and Twitter (https://twitter.com/IASE_at_large)