What is NIST 800-171?

If you haven’t heard anything about NIST, it is likely because you do no work with the federal government, companies that work with the federal government or companies that are overseas. Regardless if this impacts you or not today, NIST provides a great framework to secure your organization and customer data from unwanted hacker activity.

NIST 800-171 is a document of guidelines published by the National Institute of Standards and Technology (NIST) that introduced requirements for protecting Confidential Unclassified Information (CUI) from unauthorized access, with an emphasis on foreign entities. The federal government has adopted this standard as a requirement for any company that is bidding and/or fulfilling government contracts.

The Importance of NIST 800-171 to Manufacturers

As of December 2017, NIST 800-171 required compliance to “ensure that sensitive federal information remains confidential when stored in non-federal information systems and organizations.” Compliance to these guidelines is mandatory and is enforced by the Department of Defense (DoD). Many non-federal manufacturing organizations have contracts which aid federal agencies in production of certain products and commonly store or transmit sensitive data. With the rise in cyber-attacks over the last few years, protection of this data has become paramount, thus NIST has become more important than ever, and enforced accordingly. If you do not discuss your NIST security compliance posture with the DoD, your organization is implying that your are CDI compliant. If you are then audited and found violating compliance you could be hit with enormous fines, or your organization can be issued a stop-work order indefinitely until compliance is met.

How to Achieve and Stay NIST Compliant

NIST 800-171 has many rules when it comes to technology controls and without expertise, it is difficult to stay compliant. This leads many organizations to turn to a 3rd party to assess, deploy and maintain security features in order to stay compliant. NIST guidelines specify the following technology practices and controls as areas of emphasis for Manufacturing organizations:

Perform an annual risk assessment. This can be a self-assessment or performed by a third-party. However, many organizations don’t have the resources or expertise to conduct a security risk assessment internally. This is a critical first step in understanding what improvements you should focus on first. As a follow-up to the assessment process, it is critical to perform a risk analysis of the identified risks, and document a plan to either avoid, mitigate, transfer, or accept those risks.

Document and implement security policies. There are many critical security policies that an organization should document and live by. These policies will be a natural product of the security risk assessment. The following are just some of the policies that should be considered:

Put controls in place around authentication and access:

  • Implement a strong authentication process. This will involve strong password policies and some form of Multi-Factor Authentication process.
  •  Implement a “need to know” access policy. This will require a review of permissions of each employee to see what data they have access to and what privileges they should have to access application and network resources.
  • Limit the number and use of privileged accounts. Admin accounts should not be used often and reducing the number of users with access to them is a great way to control access to critical technology within your environment.
  • Control connection of mobile devices. Mobile devices are often used for convenience, but without proper management corporate data can be lost. It is critical to make sure a policy exists that deals with storage, ownership and removal of corporate and customer data from a personal phone.
  • Encrypt storage devices on all workstations and mobile devices. Using an encryption tool like BitLocker to protect data on a missing/stolen device is mandatory to safeguarding your data in case of loss or theft.

Provide security awareness training. Providing security awareness training (with a specific focus on which data is considered CUI) is one of the most powerful practices you can deploy in terms of security. The biggest threat to any organization’s security is the end-users. Unaware employees often fall victim to phishing attacks and other schemes. Training your employees on what to look for is critical.

Create, maintain, and retain audit logs. Proactively watching user and network activity is critical to any security program. Looking for abnormal behavior is a great way to stop an attack before it gets out of control. Maintaining system logs also allows you to go back and look at activity during the time of an attack and track what went wrong and how to improve things for the future.

How to Get Started on the Road to Compliance

Many organizations will employ third-party help to create, implement, and comply with these requirements. Applied Tech has multiple experts on staff that can help you become compliant. With multiple Managed Security packages that have been specifically designed to meet compliance needs Applied Tech is an industry leader with experience deploying these vital technologies to organizations throughout Wisconsin. For more information on how to tighten up your security practice check out this blog!

Want to get started? Fill out the form below to have a conversation with an Applied Tech expert today!

[formidable id=”7″]

The Resource Hub

Get Complete Managed Services Insights

Visit our Resource Center for up-to-date news and stories for technology and business leaders.

8 Critical Priorities Your IT Needs to Nail 

8 Critical Priorities Your IT Needs to Nail 

If you’re a business owner or leader, you know how important it is to have a reliable and effective IT partner that can help you achieve your goals, keep your workforce productive while maintaining a safe and secure network environment.  But how do you know if your IT partner is really delivering on their promises and meeting your expectations? How do you measure their performance and value? ...

Applied Tech Recognized on the CRN MSP 500 List for 2023

Applied Tech Recognized on the CRN MSP 500 List for 2023

March, 2023 – Applied Tech has been named to CRN’s Managed Service Provider (MSP) 500 list for 2023 in the Pioneer 250 category. This annual list recognizes North American companies with innovative approaches to managed services that support customers with the ongoing complexities of IT solutions while optimizing operational efficiencies and systems to maximize return on investment. The Pioneer...

Wisconsin State Journal Names Applied Tech a Winner of Madison’s Top Workplaces 2023

Wisconsin State Journal Names Applied Tech a Winner of Madison’s Top Workplaces 2023

Madison, Wisconsin, March 26, 2023 - Applied Tech has been awarded a Top Workplaces 2023 honor by Wisconsin State Journal Top Workplaces for the second year in a row. The list is based solely on employee feedback gathered through a third-party survey administered by employee engagement technology partner Energage LLC. The confidential survey uniquely measures 15 culture drivers that are critical...

Applied Tech and Platte River Networks Partnership Creates “Strategic IT Powerhouse” for Small and Midsize Businesses

Applied Tech and Platte River Networks Partnership Creates “Strategic IT Powerhouse” for Small and Midsize Businesses

Blockbuster merger expands team and expertise, bringing more knowledge, services, and technical specialization to local growth-minded businesses nation-wide MADISON, Wis. & DENVER--(BUSINESS WIRE)--Two of the IT channel’s top-performing, celebrated managed service providers (MSPs) – Applied Tech and Platte River Networks have partnered to become an MSP superpower serving businesses...

Three IT Service Techs Working

Move Forward with IT Services for Business

Use managed services for small and mid-sized businesses that help you reach your goals.

Work With Us