What steps should your small business take to make sure they are compliant with NIST Special Publication 800-171?

NIST Special Publication 800-171 provides guidelines for protecting sensitive information in non-federal information systems and organizations. Compliance with these guidelines is required for any small business that handles Controlled Unclassified Information (CUI) for the federal government.

If your small business handles CUI, you will need to follow the guidelines to ensure compliance. Here are some steps a small business can take to ensure compliance with NIST SP 800-171:

1.      Determine if NIST SP 800-171 applies to your business: small businesses should first determine if they handle CUI and if the information is provided by the federal government. If so, the guidelines outlined in NIST SP 800-171 apply to your business.

2.      Determine the scope of your CUI: Identify the types of CUI that your business handles and determine where the CUI is located, how it is transmitted, and who has access to it.

3.      Perform a risk assessment: Conduct a thorough risk assessment of your current security measures to identify and prioritize potential threats and vulnerabilities associated with handling CUI. This risk assessment will identify any gaps or vulnerabilities in your current security measures that need to be addressed to comply with NIST SP 800-171.

4.      Develop and Document your system security plan (SSP): Develop a plan that outlines the security requirements for protecting CUI and how you will implement them. The SSP should include policies, procedures, and controls to protect CUI from unauthorized access or disclosure. This documentation should include an overview of the security controls in place and how they are being implemented.

5.      Implement security controls: Implement security controls that address the identified gaps in your current security measures and meet the requirements outlined in your SSP. These security controls should be in compliance with NIST SP 800-171 guidelines. Examples of security controls include access controls, network security, and data encryption.

6.      Train employees: Develop and provide security awareness training to all employees who handle CUI. Train your employees on the security policies and procedures related to protecting CUI. This training should include information on how to identify CUI, the importance of safeguarding CUI, how to recognize and report security incidents, and how to follow established security procedures. This includes regular, and ongoing, security awareness training to educate employees on security risks and evolving threats.

7.      Monitor and assess your security posture: Regularly monitor and assess your security posture and security controls to ensure that they are effective and to identify and address any new vulnerabilities or threats. Perform regular security assessments and penetration testing to ensure compliance with NIST SP 800-171 guidelines.

8.      Conduct periodic reviews: Conduct periodic reviews of your SSP and security controls to ensure that they remain up to date and effective in protecting CUI.

9.      Maintain compliance: Maintain compliance with NIST SP 800-171 guidelines on an ongoing basis. Regularly review and update your security plan, policies, and procedures as necessary to address changes in the threat landscape or changes in the information technology environment. Document your compliance efforts and maintain records of your security activities, including risk assessments, SSPs, security control implementations, employee training, and monitoring and assessment activities.

By following these steps, small businesses can ensure compliance with NIST SP 800-171 and protect sensitive information while doing business with the federal government protect CUI from unauthorized access or disclosure.

Confused by all these requirements, or just want someone to help you navigate?

TECHFORGE Solutions brings critical expertise to the table to simplify the process of becoming 800-171 compliant. We can provide easy to follow procedures, expertise in managing the assessment, and delivering a robust set of documentation you can use for any client engagement. TECHFORGE Solutions provides the critical SME guidance, managed processes, and proven workflow tools for capturing, evaluating, and documenting outcomes to get you compliant.

Whether you need executive level strategic consulting from a part-time CISO in a box, on-site or remote security support, 3rd party assessment or penetrating testing, or a fully outsourced team of 24x7x365 security operations center (SOC) support; TECHFORGE can help.