This document was updated and created to protect CUI – Controlled Unclassified Information for all government entities. So if you want to have a contract with the government you better have a plan in place. Due to Executive order 13556 (Nov 4, 2010), Controlled Unclassified Information program to standardize unclassified information and designated the NARA (National Archives and Records Administration).

Interesting to note all this standardization comes from a long list of departments in charge of classifying information. But the reality is there are many things similar to standards like PCI, COBIT 5, and others.

Notice that in 800-171 requires a Security Assessment:

  1. Assess security controls in the organization- are they effective?
  2. Develop and implement plans of action to fix deficiencies and reduce or eliminate vulnerabilities.
  3. Monitor security controls on an ongoing basis
  4. Develop, document, and periodically update system security plans that describe system environments as changes occur, system environments, how they are implemented, and relationships to other systems.

So essentially common sense security functions.

Anytime a change occurs (new device, moving, adding, subtracting) one has to re-evaluate security posture.

How about Risk assessment:

  1. Periodically assess risk to organizational operations(mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
  2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  3. Remediate vulnerabilities  in accordance with risk assessments.

 

So if you look at the document – it just means what all respectable requirements have.

  1. Document and inventory your stuff.
  2. create risk assessments and impact assessments
  3. set up vulnerability scans
  4. remediate vulnerabilities!

 

 

 

Talk about change, the document 800-171 has recently been revised and updated, Both in February and June 2018:

  1. February: 16 editorial changes and 42 substantive
  2. June: 27 editorial changes and 5 substantive.

Most of the changes were deletions and some clarifications.

There is a change in authentication, now MFA(Multi Factor Authentication) is required instead of two-factor or regular password authentication.

Above is the section (Identification and Authentication) where MFA is shown.

If you need help in performing risk and security assessments Contact Us.

 

By zafirt

One thought on “NIST 800-171 rev1 (Updated 6/7/2018)”
  1. […] So needless to say if you are a small manufacturer  and sell stuff to the US government you will have to be compliant  or else…. what is the or else?  I surmise the or else is pretty bad, since there has been plenty of time for you to get on board of this new initiative . Admittedly it has been a chore to get through the NIST 800-171  documents up to now.  As I have discussed in June on this site. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.