How updated guidelines on protecting controlled unclassified information impact SMBs

In May, the National Institute of Standards and Technology (NIST) updated its guidelines that help private sector organizations that do business with the federal government protect sensitive data. The document is known as NIST Special Publication 800-171 (SP 800-171), and the final revision now offers clearer, more straightforward guidance.

What is NIST?

NIST is a non-regulatory agency of the U.S. Department of Commerce. Its mission is to promote technological innovation and industrial competitiveness by advancing measurement science, standards, and technology to enhance economic security and improve quality of life. The agency develops standards, measurements, and guidelines ranging from construction safety to cybersecurity frameworks.

Who needs to comply with NIST SP 800-171?

Any organization that does business with the federal government and handles controlled unclassified information (CUI) on behalf of the government is contractually obligated to meet the NIST SP 800-171 guidelines. Data that qualifies as CUI should be specified in your government contract.

What is controlled unclassified information (CUI)?

CUI is government information that is sensitive but does not meet the criteria to be classified. This data must have a law, regulation, or government policy attached to it. Examples of CUI can include intellectual property, controlled technical information, employee health information, proprietary business information, personally identifiable information, and sensitive information for law enforcement.

In its guidelines, NIST outlines best practices for protecting this data from unauthorized access, disclosure, and loss. This is important because organizations that process, store, and transmit CUI often support government programs involving critical assets like weapons and communication systems.

What’s changed from the previous guidelines?

Previously, some of the wording in the guidelines was ambiguous and didn’t match the language of the catalog of security and privacy controls used by federal agencies. The final updates were made to improve consistency and ease of use, in part based on user feedback on earlier drafts.

Major updates include:

• Restructured security requirements to align with SP 800-53 security controls
• Organization-defined parameters (ODP) to customize certain controls for your organization’s specific needs
• New, clearer tailoring criteria
• Recategorization of the controls based on the new tailoring criteria
• Additional guidance to better support implementation and improve outcomes

The revised guidelines are also more technically compatible, available in machine-readable formats such as JSON and Excel for cybersecurity tool developers to import into their applications.

The companion assessment procedures have also been updated. These are intended to help organizations assess whether they’ve met the security requirements.

Updates to the assessment procedures documentation include:

• Organization-defined parameters (ODP) for improved traceability and usability
• Structure and syntax changes for better consistency
• Additional guidance on conducting security requirement assessments

How do the NIST guidelines impact SMBs?

The NIST SP 800-171 guidelines have financial and operational impacts for SMBs that handle government CUI.

• Financial impacts: SMBs that handle government CUI must comply with the guidelines or risk contract disputes or penalties. SMBs not under government contracts but that are part of government supply chains are still subject to the requirements. Complying with the guidelines means investing in infrastructure, personnel, and ongoing maintenance.  However, compliance with NIST SP 800-171 may offer a competitive advantage when competing for government contracts, and insurance carriers may offer preferred coverage to organizations that meet the standards.
• Operational impacts: Adhering to the standards involves implementing comprehensive security controls, including technology, processes, and training, to protect CUI. This includes encryption, access controls, monitoring systems, and incident response capabilities.

How can SMBs ensure they’re compliant with NIST SP 800-171?

Navigating compliance is a challenge for SMBs, especially those with limited resources and compliance expertise. If you’re doing it yourself, it’s essential to read your government contract and the NIST SP 800-171 framework in full and to use the companion assessment to verify your controls.

Many SMBs opt to seek guidance from cybersecurity experts and managed security service providers. If you take this route, ensure that your consultants are up to date with the latest revision to NIST SP 800-171.