NIST Compliance and Cybersecurity
The US National Institute of Standards and Technology (NIST) has published a series of information security
standards - collectively known as the Special Publication (SP) 800 series - which impose a range of
mandatory cybersecurity requirements on federal agencies and their suppliers.
In this document, we will consider: NIST SP 800-53 which implements parts of the Federal Information Security Management Act 2002 (FISMA); and SP 800-171 which concerns cybersecurity requirements imposed on US federal suppliers and contractors under the Federal Acquisition Regulation (FAR), the Defense Federal Acquisition Regulation Supplement (DFARS), and the Cybersecurity Maturity Model Certification (CMMC).
What is NIST?
Known as the National Bureau of Standards until 1988, the National Institute of Standards and Technology (NIST) was founded in 1901 to modernize standardization, measurement and metric systems, and to bolster the competitiveness of the industrial and technological sectors in the US.
ImmuniWeb can help you comply with NIST SP 800-53 and SP 800-171 cybersecurity and data protection requirements. How We Help
Now a part of the US Department of Commerce, NIST is a non-regulatory federal body that runs several physical science laboratories:
- Communications Technology Laboratory (CTL)
- Engineering Laboratory (EL)
- Information Technology Laboratory (ITL)
- Center for Neutron Research (NCNR)
- Material Measurement Laboratory (MML)
- Physical Measurement Laboratory (PML)
In the cybersecurity industry, NIST is well known and respected for developing a broad variety of frameworks and guidelines dedicated to information security, ranging from regulated data classification to Internet of Things (IoT) security and privacy.
What is the NIST Special Publication 800 series?
In contrast to federal laws, such as HIPAA or GLBA, or to state laws, such as CCPA in California or the SHIELD Act in New York, NIST publications are not legally binding in their own right. However, by virtue of certain federal laws, regulations or executive orders, some of these publications are incorporated into specific legislation and may therefore be indirectly legally enforceable, as we will explain below.
The NIST Special Publication (SP) 800 series comprises a range of interrelated guidelines and frameworks developed by NIST’s Information Technology Laboratory (ITL). Most of the SP 800 publications address information security, data protection and privacy, and are primarily designed for the US government federal agencies, along with their contractors and suppliers.
Many of the publications are also widely leveraged and adopted by the private sector as well regarded industry standards for cybersecurity. In its most recent publications, NIST purposely avoids mentioning “federal information systems” to emphasize their suitability for different industries and sectors of economy. In the private sectors of many countries, compliance with the SP 800 series is frequently required from suppliers as a condition of their contracts.
Some US states have incorporated NIST SP 800 publications into their state legislation. For instance, Utah and Ohio enacted the so-called “safe harbor” state laws that, under certain circumstances, provide local entities with an affirmative defense in data breach lawsuits if they can prove compliance with NIST SP 800-171 or SP 800-53.
How does NIST SP 800-53 implement FISMA rules?
Updated in 2020 for the fifth time, SP 800-53 (“Security and Privacy Controls for Information Systems and Organizations”), SP 800-53 Rev. 5” sets out a comprehensive data protection and cybersecurity framework for federal agencies, as per by Title III (“Information Security”) of the Federal Information Security Management Act (FISMA) of 2002.
FISMA requires federal agencies to implement a cost-efficient and risk-based data protection program for their information systems and external systems where federal information is stored or processed. The Act expressly mentions confidentiality, integrity and availability of federal data and imposes “protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.” But rather than providing detailed technical guidance on how the covered governmental entities are supposed to achieve these goals and objectives, FISMA instructs and empowers NIST to develop these insteadin order to. This resulted in SP 800-53, initially published in 2005 and revised five times since, most recently in 2020.
Under FISMA, compliance with SP 800-53 must be reported annually to the US Office of Management and Budget (OMB) by agency program officials or Chief Information Officers. The OMB then uses compliance reports in its oversight responsibilities and to prepare its own annual report to Congress on agencies’ compliance with FISMA.
In 2014, FISMA was amended by the Federal Information Security Modernization Act 2014. Changes included empowering the US Department of Homeland Security (DHS) to assist the OMB in the implementation and oversight of FISMA, and an update of data breach notification requirements imposed on federal agencies.
What is the NIST SP 800-53 checklist?
Part 3 (“The Controls”) of SP 800-53 comprises 20 sections with multiple subsections, dedicated to required security controls and their practical implementation:
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Assessment, Authorization and Monitoring
3.5 Configuration Management
3.6 Contingency Planning
3.7 Identification and Authentication
3.8 Incident Response
3.9 Maintenance
3.10 Media Protection
3.11 Physical and Environmental Protection
3.12 Planning
3.13 Program Management
3.14 Personnel Security
3.15 Personally Identifiable Information Processing and Transparency
3.16 Risk Assessment
3.17 System and Services Acquisition
3.18 System and Communications Protection
3.19 System and Information Integrity
3.20 Supply Chain Risk Management
The publication brings a risk-based approach to the implementation and continuous monitoring of security controls, proportional and adequate to mitigate identified cyber threats. Being a fairly comprehensive framework, SP 800-53 requires a set of written policies and procedures to be properly maintained.
Specific requirements ofSP 800-53 include regular vulnerability scanning and penetration testing (Section 3.5) to quickly identify and remediate security vulnerabilities, and the development, implementation and maintenance of a risk-based strategy to mitigate third-party risks to address growing supply chain attacks (Section 3.20).
How does NIST SP 800-171 implement FAR, DFARS and CMMC rules?
Updated in 2021 (and undergoing a further update in 2023), SP 800-171 (“Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”) is a comprehensive cybersecurity and data protection framework developed by NIST and designed to protect the so-called Controlled Unclassified Information (CUI), belonging to the US federal government, from growing supply chain attacks when stored or processed by third-party contractors.
Compliance with SP 800-171 is de facto mandatory for all vendors and contractors who wish to do business with the US government and federal agencies. Obligatory compliance is established and regulated by the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) for contractors of the federal government and the US Department of Defense (DoD) respectively.
While there is no express mention of SP 800-171 in FAR, its Section 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”) provides a set of mandatory security controls, taken from the NIST publication, which must be implemented by any government contractors and suppliers. In addition, many contracts may specifically mention SP 800-171 alongside other security requirements for vendors.
The situation is different in the case DFARS, which is administered by the DoD and supplements FAR provisions for defense contractors. DFARS expressly introduces mandatory compliance with NIST SP 800-171 for DoD suppliers from the Defense Industrial Base (DIB), by the virtue of DFARS Section 252.204-7012(b)(2) (“Safeguarding Covered Defense Information and Cyber Incident Reporting”). The Section unambiguously states: “the covered contractor information system shall be subject to the security requirements in NIST SP 800-171” and that the “contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.” Similar to the PCI DSS CDE scoping, DFARS does not require the covered DoD contractors to flatly apply SP 800-171 security controls to the entirety of contractors’ IT systems - only to those which process, transmit or store CUI. But any exclusions from the scope must be performed with diligence, carefully documented and disclosed.
To ensure and enforce compliance with DFARS, in 2019 the DoD introduced the Cybersecurity Maturity Model Certification (CMMC), with the aim ofwhich externally auditing and certifying DoD contractors in relation to SP 800-171 compliance, alongside additional security requirements. To provide reasonable flexibility and implement a risk-based approach, CMMC currently* has five consecutive levels, with different numbers of security controls proportional to the sensitivity and volume of data that a contractor handles on behalf of the DoD. Level 1 requires implementation of just 17 security controls, while Level 5 demands 171 controls. Importantly, CMMC is closely intertwined with SP 800-171 and includes a considerable number of its security controls. Compliance with SP 800-171 does not automatically make an entity CMMC compliant - but it helps to facilitate and significantly speed up the overall CMMC compliance process.
*CMMC 2.0 was published in 2021, which will eventually result in updates to the original framework. Amongst various changes, it will reduce the number of compliance levels from five to three.
Mandatory CMMC certification is required by DFARS Section 252.204-7021 (“Cybersecurity Maturity Model Certification Requirement”) for all DoD suppliers and contractors, with some narrow exceptions. Compliance with the requisite CMMC level must be audited by a Certified 3rd Party Assessment Organization (C3PAO) prior to the commencement of any activity under the contract.
For federal contractors and suppliers, failure to conform with SP 800-171 or CMMC may lead to contract termination, payment of contractually stipulated damages, and further loss of governmental business or even a permanent ban from working with the government.
Revision 3 of SP 800-171 will make several updates, including:
- Reflecting the state-of-practice cybersecurity controls;
- Revising criteria used by NIST to develop security requirements; and
- Increasing specificity and alignment of the security requirements in SP 800-171 Rev. 3 with SP 800-53 Rev. 5, to help with implementation and assessment.
What is the NIST SP 800-171 checklist?
Part 3 (“The Requirements”) of SP 800-171 comprises 14 sections with numerous subsections, that contain specific details and comments on how to implement the requirements:
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.7 Maintenance
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12 Security Assessment
3.13 System and Communications Protection
3.14 System and Information Integrity
SP 800-171 introduces a risk-based approach to corporate cybersecurity programs. Subsection 3.11.1 sets out the foundational basis by requiring organizations to periodically assess the risk to organizational operations, organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of Controlled Unclassified Information (CUI). The following section (3.11.2) directs organizations to scan for vulnerabilities in organizational systems and applications periodically and after any updates to the systems. Subsection 3.11.3 concludes with the instruction to remediate vulnerabilities in accordance with risk assessments.
ImmuniWeb can help you comply with NIST SP 800-53 and SP 800-171 cybersecurity and data protection requirements. How We Help
Other publications in the SP-800 series
Currently, NIST has over 191 publications in its SP-800 series, including drafts and updates. Examples related to emerging cybersecurity and compliance trends are highlighted below.
SP 800-172 (“Enhanced Security Requirements for Protecting Controlled Unclassified Information”) provides additional security controls for organizations who wish to enhance their SP 800-171 compliance and build highly resilient systems. It is undergoing a second revision in 2023.
To support HIPAA-covered organizations, NIST published SP 800-66 (“Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule"), dedicated to the implementation of the Security Rule under HIPAA/HITECH. As of writing (September 2023), this guide is in the final stages of being updated, with key planned changes including:
- The development of additional resources for small regulated entities, including guides and use cases;
- Clarification on the meaning of the terms ‘risk analysis’ and ‘risk assessment;
- Improved mapping of the Security Rule’s standards and implementation specifications to applicable security controls detailed in NIST SP 800-53, to Cybersecurity Framework (CSF) Subcategories, and to other relevant NIST publications (Appendix E);
In response to the growing supply chain attacks against governmental agencies in the US, NIST released SP 800-207 (“Zero Trust Architecture”) to guide organizations through the creation and maintenance of zero trust networks and IT ecosystems. In a zero-trust architecture, no presumed or implied trust is assigned to any IT assets or users based on their location or ownership.
Finally SP 800-213 (“IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements”) establishes practical guidelines for federal agencies on IoT security best practice.