A: The NIST SP 800-171 is a best-practices form, something like a checklist on steroids. It is created and produced by NIST (National Institute of Standards and Technology), one of the two federal teams charged with helping to ensure cybersecurity. The other is US-CERT (United States Computer Emergency Readiness Team).
NIST is governed by the U.S. Department of Commerce. US-CERT is governed by the U.S. Department of Homeland Security.
There is a core problem with cybersecurity–how do you know you are doing the proper things, in the proper way, to the proper degree to help ensure (note this is not guarantee) you, your family, and your organization cybersecurity and privacy?
NIST has developed best-practices that help to standardize these questions, and have organized them as best practices into the SP 800-171 form. This form only asks the questions, but does not provide the answers. This may lead you to some head-scratching, but it makes sense because every IT environment is different. It now becomes your job (or the job of your IT or Security Department) to figure out how to answer and resolve those questions.
This best-practice document has become a standard for both cybersecurity and privacy. It is used as the basis of certifying HIPAA-covered entities (health care organizations), SEC-covered entities (finance organizations), Federal and military contractors, and many more. If your organization isn’t using this document, it is almost certain your cybersecurity and privacy are lacking, and may be held legally and financially liable in the event of client data leakage.
By following and answering the 800-171, your IT group has done due diligence to protect your IT infrastructure.
Which, since the document doesn’t provide any guidance to solutions/answers, is where MintzIT comes to the rescue! We have been providing full-service IT consulting to all of New Mexico for 32 years, and are authors of 13 best-selling cybersecurity books, making MintzIT the perfect solution to ensuring your cybersecurity and privacy.
Attached you will find a copy of the NIST SP 800-171. Listed below are a couple example resolutions to the questions.
|3.1 ACCESS CONTROL|
|3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)||
|3.3 AUDIT AND ACCOUNTABILITY|
|3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.||