A: The NIST SP 800-171 is a best-practices form, something like a checklist on steroids. It is created and produced by NIST (National Institute of Standards and Technology), one of the two federal teams charged with helping to ensure cybersecurity. The other is US-CERT (United States Computer Emergency Readiness Team).

NIST is governed by the U.S. Department of Commerce. US-CERT is governed by the U.S. Department of Homeland Security.

There is a core problem with cybersecurity–how do you know you are doing the proper things, in the proper way, to the proper degree to help ensure (note this is not guarantee) you, your family, and your organization cybersecurity and privacy?

NIST has developed best-practices that help to standardize these questions, and have organized them as best practices into the SP 800-171 form. This form only asks the questions, but does not provide the answers. This may lead you to some head-scratching, but it makes sense because every IT environment is different. It now becomes your job (or the job of your IT or Security Department) to figure out how to answer and resolve those questions.

This best-practice document has become a standard for both cybersecurity and privacy. It is used as the basis of certifying HIPAA-covered entities (health care organizations), SEC-covered entities (finance organizations), Federal and military contractors, and many more. If your organization isn’t using this document, it is almost certain your cybersecurity and privacy are lacking, and may be held legally and financially liable in the event of client data leakage.

By following and answering the 800-171, your IT group has done due diligence to protect your IT infrastructure.

Which, since the document doesn’t provide any guidance to solutions/answers, is where MintzIT comes to the rescue! We have been providing full-service IT consulting to all of New Mexico for 32 years, and are authors of 13 best-selling cybersecurity books, making MintzIT the perfect solution to ensuring your cybersecurity and privacy.

Attached you will find a copy of the NIST SP 800-171. Listed below are a couple example resolutions to the questions.

3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
  • All data stored on Google G-Suite, with access restricted to authorized users using strong passwords and 2-Factor Authentication.
  • Accessing company data permitted only on company computers that have passed monthly security audit.
  • Access to local computers and data restricted to authorized users using strong passwords and 2-Factor Authentication.
  • Local computers are hardware encrypted (Filevault2 on macOS, Bitlocker on Windows 10 Pro).
  • Local computer security protected with ASAP OS and application updates.
  • Local Area Networks secured with Stateful Packet Inspection firewall at both the router and local computer.
  • Local Area Network security protected with ASAP firmware updates for modem, router, switches, and wireless access points.
  • Mobile Device access to data on Google G-Suite restricted to authorized users via minimum 6-digit PIN.
  • Mobile Device access protected with erase after 10 failed PIN attempts.
  • Mobile Devices with access to data are protected with hardware encryption.
  • Mobile Device security protected with ASAP OS and app updates.
  • Mobile Device security is locked down with Mobile Device Management, preventing end-user from performing any system or application modifications.
3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
  • Google G-Suite for Enterprise is used for all data, it provides audit records.
  • Google G-Suite for Enterprise is used for all data, it provides for data loss prevention.
  • Spinbackup is used, it provides for 3rd-party data loss prevention, giving a snapshot-based backup for all G-Suite-based data (email, calendar, contacts, data).