Updated On 3 March, 2023
NIST 800-171: Penetration testing and vulnerability scanning
In June 2015, NIST published a special publication 800-171 focusing on the protection of controlled unclassified information (CUI). This publication has been developed by NIST to further its statutory obligations under the Federal Information Security Modernization Act (FISMA) of 2014. Over the last five years, there have been a couple of revisions, and the latest version of this publication is available here. This publication aims to guide federal agencies in ensuring that sensitive federal data remains protected when it is processed, stored, and used in a non-federal information system outside of the federal government. The extent of applicability of NIST 800-171 is limited to CUI shared by a federal agency with a non-federal organization.
What is controlled unclassified information (CUI)?
Executive Order 13556 defines CUI as information that is sensitive and relevant to the interests of the United States, but the federal government does not strictly regulate it. According to the National Archives and Records Administration, CUI requires safeguarding and dissemination controls consistent with existing laws, regulations, and government policies. For a set of data to be considered as CUI, it must not be classified under Executive Order 13526 or the Atomic Energy Act.
NIST 800-171: Applicability
Federal contracts describe CUI shared by the federal agencies, and hence, they require a vendor to comply with NIST SP 800-171 Rev 2. Companies are under an obligation to ensure that their employees receive adequate training to understand the requirements of NIST. This publication expects existing vendors to upgrade their controls for processing data received from a federal agency and storing them on non-federal information systems. Before starting the compliance project for NIST 800-171, our experts emphasize the following points:
- A vendor, company, organization, or educational institution receives CUI as a part of a research grant or to conduct business.
- NIST 800-171 only applies to data that a federal agency has designated as CUI when it is shared with a non-federal entity.
- Contracts with the federal government must have relevant clauses identifying the data that a federal agency is sharing.
- The prospective audience for this framework includes developers, project managers, risk management personnel, internal security team, and any individual or team involved with the handling of CUI.
Overall requirements of NIST 800-171
Chapter 3 of this publication lays down 110 security requirements across fourteen families, whereas each family has basic and derived security requirements.
Figure 1: Security Requirement Families in NIST SP 800-171 Rev 2.
Vulnerability scanning and penetration testing in NIST 800-171
Requirement 3.11.2 specifies vulnerability scanning in organizational systems and applications periodically. Further, this publication also prescribes vulnerability scans when an organization identifies new vulnerabilities affecting its systems and applications. As security researchers across the globe discover new vulnerabilities, scanning methods must be updated quickly. It recognizes that vulnerability scanning for custom software applications may require additional approaches such as binary analysis, static analysis, dynamic analysis, or a hybrid of these approaches. A vulnerability scan shall include:
- Scanning for ports, protocols, functions, and services that must not be accessible to users/devices
- Scanning for improper configuration
- Incorrectly operating information flow control mechanisms
For interoperability, this publication recommends products based on Security Content Automated Protocol (SCAP), Common Vulnerabilities and Exposures (CVE), Open Vulnerability Assessment Language (OVAL), and Common Vulnerability Scoring System (CVSS). Besides, it notes that red team exercises may provide additional sources of vulnerabilities to scan for. An organization shall address the vulnerabilities in line with its risk assessment, as given in Requirement 3.11.3.
Requirement 3.12.1 specifies a periodical assessment of security controls in organizational systems for determining their effectiveness. An organization implements security controls to satisfy security requirements. After implementation, assessing security controls helps an organization in determining if their safeguards or countermeasures are working as expected. Depending on the target individuals and roles, security assessment results are documented in the form of reports with varying levels of technical information. On similar lines, Requirement 3.12.2 covers developing and implementing a plan of action for mitigating vulnerabilities and unimplemented security requirements.
Requirement 3.12.3 deals with continuous monitoring of security controls for ensuring the continued effectiveness of security controls. A continuous monitoring program facilitates an organization’s awareness of vulnerabilities and threats so that it can make informed risk management decisions. With automated tools, an organization can push updates to firmware, hardware, software, and other systems more frequently.
Requirement 3.14.1 focuses on identifying, reporting, and correcting system flaws in a timely manner. An organization can undertake these activities during security assessments, vulnerability scans, continuous monitoring, incident response activities, or error handling in systems.
Our experts are thoroughly familiar with the requirements of NIST 800-171, and we are eager to help organizations in satisfying security requirements and achieving compliance. While it can take a few months to be fully compliant with NIST 800-171 security requirements, an organization shall not wait to get started. It is crucial to establish a solid baseline of where your organization stands in terms of its cybersecurity practices. Our security experts, supported by a cloud-based SaaS platform, help you in finding answers for questions like:
- What are the potential vulnerabilities in organizational systems?
- How to identify and close existing gaps?
- What type of training is required for individuals handling CUI?
- How can we continue to remain compliant with NIST SP 800-171?
To explore our services and discuss how BreachLock partners with its clients, schedule a call today!