LBMC Information Security has been in the IT security and compliance business for over 20 years. During that time, we have amassed considerable experience with FISMA/NIST 800-53. Now we have extended that expertise to NIST 800-171 certification. All non-federal agencies that access Controlled Unclassified Information (CUI) and DoD Covered Defense Information require 800-171 certification.
To ensure that our clients maintain a compliant state and strong control environment, LBMC performs our NIST assessments using the following steps:
- Kickoff Call—To discuss engagement logistics, verify controls to be tested, confirm onsite scheduling, review evidence request processes, and answer any pre-engagement questions
- Documentation Review
- Interviews with individuals responsible for the control implementations to gain an understanding of the current processing environment.
- Conduct a performance review audit of NIST specified controls and an onsite walk-around.
- Debrief and issuance of the final audit report
The Differences between NIST 800-171 and NIST 800-53
At a high level, the NIST SP 800-53 security standard is intended for internal use by the Federal Government and contains controls that often do not apply to a contractor’s internal information system. NIST SP 800-53 provides federal organizations with the top-level requirements and is more specific to providing security and privacy controls for federal information systems and organizations.
On the other hand, NIST SP 800-171 applies to internal contractor information systems and provides a standardized set of requirements for all CUI security needs to allow non-federal organizations to follow statutory and regulatory requirements by consistently implementing CUI safeguards. Additionally, many of the NIST SP 800-171 controls are about general best security practices for policy, process, and configuring IT securely, and this means in many regards, NIST SP 800-171 is viewed as less complicated and easier to understand than its NIST SP 800-53 counterpart.
NIST SP 800-171 is unique in that it is tailored to eliminate FIPS 200 and NIST SP 800-53 requirements that are:
- specific to government-owned systems
- not related to CUI, or
- expected to be satisfied without specifications (i.e., policy and procedure controls).
NIST SP 800-171 includes just over a hundred controls broken across 14 control families and is more concise in nature, making it less complex to implement for non-federal organizations.
All NIST Reports are not Created Equal
Our team members have extensive experience on your side of the desk in a variety of industries with security and compliance mandates. This client-side experience means that we understand how data moves between a user entity’s network and its service organizations. We help you achieve compliance while providing the insights your leaders and stakeholders need to make better business decisions.
Whether you are just getting started with NIST certification, or have been navigating regulations for years from another provider, LBMC Information Security can help you maintain NIST compliance in a complex landscape.