NIST 800-171 Implementation Guide for MSPs and SMBs

NIST 800-171 Implementation Guide

In need of an easy-to-follow NIST 800-171 implementation guide for your business? We’ve got you covered!

The NIST 800-171 publication lays out specific guidelines for protecting government data, also referred to as controlled unclassified information (CUI). And even if you don’t handle CUI, following NIST 800-171 guidance is still a smart idea for protecting the data that you do have and responding with efficiency to a breach or attack.

Here are the steps that you’ll want to follow in order to implement NIST 800-171 recommendations for your MSP or SMB, whether you’re working with CUI or a more general data infrastructure.

3 Steps to Implementing NIST 800-171 Guidelines

The more work that you do to proactively protect your business’s data, the less you’ll have to worry about the legal and financial consequences of a disruption.

The recommendations in the NIST 800-171 are a good way to shore up your cybersecurity framework, and can (and should) be implemented regardless of whether or not you interact with CUI. Note that if you do not have an in-house IT team that can handle this process, you’ll want to call in a contractor who knows how to implement NIST cybersecurity framework recommendations and can make sure that your data is adequately protected.

Step 1: Assess and Organize Your Data

Do a complete system-wide assessment to pinpoint where your most sensitive data is and where you need to focus most of your efforts. Be sure that this includes both local and outsourced cloud locations as well as any portable hard drives or other storage devices. And if you do work with CUI, you’ll want to specifically locate all storage sites where it lives so you can start implementation there.

Step 2: Put Safety Controls in Place

There are 14 different types of requirements within the NIST 800-171, each of which includes direct safety controls that will need to be met for compliance. This includes controls related to data access, auditing, system maintenance, and incident responses. If you’re not handling CUI and just implementing NIST 800-171 guidance for your own purposes, you can pick and choose which controls make the most sense for your organization’s budget and objectives. Keep in mind, though, that all of them serve a unique goal and full implementation is recommended for complete protection.

Step 3: Train and Monitor

Compliance doesn’t end with implementation. Put a plan into place for how you will monitor the ongoing safety of your data and thoroughly train any employees who will be working towards that goal. Both of these are key for sustaining the security of your system and ensuring you remain up to date with the latest in cybersecurity protocols and best practices.

NIST Implementation Tiers

Depending on the scope of implementation, your business will achieve one of four NIST 800-171 implementation tiers:

  • Tier 1: Partial Implementation
  • Tier 2: Risk Informed Implementation
  • Tier 3: Repeatable Implementation
  • Tier 4: Adaptive Implementation

Again, so long as you don’t work with CUI it is up to you what level of implementation you reach. As a good rule of thumb, choose the tier that you want to reach first, and then make a detailed plan for how you’re going to do it.

Located in New York, NY, Computer Resources of America specializes in providing local businesses with comprehensive IT support when and where it’s needed. In need of more support? Contact us to learn how we can help you with NIST 800-171 implementation, or browse our website for information related to legal IT-related services or other more specific offerings.