The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops technology, metrics and standards to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. NIST provides standards and guidelines for the Federal Information Security Management Act (FISMA), which is a comprehensive framework to protect government information, operations and assets against natural or man-made threats.
In 2015, the U. S. Department of Defense (DoD) published an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) giving government contractors a deadline to implement the requirements of the NIST Special Publication (SP) 800-171. Any organization that processes, stores, or transmits Controlled Unclassified Information (CUI), which includes engineers, tests, and manufactures products directly or indirectly must comply.
The NIST 800-171 standards are based on best practices for a good data security plan, outlined into 14 categories. Maintaining a plan to cover the 14 categories will keep a contractor in good standing. Once that initial base line is achieved, a system can be continuously improved.
- Access Control
- Media Protection
- Awareness and training
- Personnel Security
- Audit and Accountability
- Physical Protection
- Configuration Management
- Risk Assessment
- Identification and Authentication
- Security Assessment
- Incident Response
- Systems and Communications Protection
- System and Information Integrity