by Cesar Navas
March 6, 2024
This report provides organizations with information which specifically measures against the compliance standards related to the 800-171 standards which represent a set of security controls and guidelines established by National Institute of Standards and Technology (NIST). NIST 800-171 is a special publication that provides the recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI), that is processed, stored, or transmitted by Department of Defense (DoD) government contractors and subcontractors.
CUI categorized as unclassified information that is created or possessed by the US Government, or an entity on behalf of the Government, requires safeguarding from unauthorized disclosure. DoD contractors who process, store, or transmit CUI for the DoD, GSA, NASA, or other federal or state agencies, including subcontractors are required, at the very least, to complete a basic self-assessment in reference to the controls in NIST 800-171. NIST 800-171 contains 14 key areas: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Physical Protection, Personnel Security, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
The US federal government relies heavily on external service providers and contractors to assist in carrying out a wide range of federal missions. Sensitive but unclassified federal information is routinely processed by, stored on, or transmitted through nonfederal information systems. Failing to properly protect this Controlled Unclassified Information (CUI) could impact the ability of the federal government to successfully carry out required missions and functions. The National Institute of Standards and Technology (NIST) created Special Publication 800-171 'Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations' to provide recommended requirements for protecting the confidentiality of CUI.
Federal agencies should use these requirements when establishing contracts and agreements with non federal entities that process, store, or transmit CUI. This report helps organizations align with NIST 800-171 recommendations.
Tenable provides several solutions for organizations to better understand vulnerability management. Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable Vulnerability Management (formerly Tenable.io) discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirements for this report are: Tenable Vulnerability Management.
Chapters:
- Executive Summary: This chapter contains three elements which provide a high level overview summarizing results outlined in NIST 800-171.
- Framework Result Summary - 800-171: This chapter summarizes all the families outlined in NIST 800-171.
- Control Summary - 800-171: This chapter provides compliance results for each control family within the compliance standard.
- Audit Check Type Summary - 800-171: This chapter provides compliance results for hosts within the compliance standard.
- 3. 1 ACCESS CONTROL - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3. 2 AWARENESS AND TRAINING - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3. 3 AUDIT AND ACCOUNTABILITY - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3. 4 CONFIGURATION MANAGEMENT - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3. 5 IDENTIFICATION AND AUTHENTICATION - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3. 6 INCIDENT RESPONSE - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3. 7 MAINTENANCE - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3. 8 MEDIA PROTECTION - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3.11 RISK ASSESSMENT - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3.12 SECURITY ASSESSMENT - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3.13 SYSTEM AND COMMUNICATIONS PROTECTION - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.
- 3.14 SYSTEM AND INFORMATION INTEGRITY - 800-171: This chapter provides details on each of the compliance controls for the compliance family group being referenced.