Start using any ImmuniWeb product instantly after a quick customization and secure online payment. Alternatively, request your free demo.

Total Tests:

NIST SP 800-53 for FISMA
NIST SP 800-171 for CMMC and DFARS

Read Time: 8 min.

The flagship NIST Special Publication 800-53 helps US government to implement security and privacy controls
imposed by FISMA, while the Special Publication 800-171 imposes mandatory cybersecurity program
for US federal suppliers and contractors as required by FAR, DFARS and CMMC.

NIST SP 800-53 for FISMA and NIST SP 800-171 for CMMC / DFARS

What is NIST and its role?

Known as the National Bureau of Standards till 1988, the National Institute of Standards and Technology (NIST) was founded in 1901 to modernize standardization, measurement and metrics systems, and to bolster competitiveness of the industrial and technological sectors in the US.

NIST compliance ImmuniWeb can help you comply with NIST SP 800-53 and SP 800-171 cybersecurity and data protection requirements. How We Help

Today, being a part of the US Department of Commerce, NIST is a non-regulatory federal body that runs several physical science laboratories:

  • Communications Technology Laboratory (CTL)
  • Engineering Laboratory (EL)
  • Information Technology Laboratory (ITL)
  • Center for Neutron Research (NCNR)
  • Material Measurement Laboratory (MML)
  • Physical Measurement Laboratory (PML)

In the cybersecurity industry, NIST is well known and respected for developing a broad variety of frameworks and guidelines dedicated to information security, ranging from regulated data classification to IoT security and privacy.

What is the NIST Special Publication 800 series?

Contrasted to federal laws, such as HIPAA or GLBA, or to state laws, such as CCPA in California or the SHIELD Act in New York, NIST publications have no legally binding effect in the US. However, by the virtue of federal laws, regulations or executive orders, some of the publications by NIST are incorporated into the enacted legislation and may become legally enforceable as described below.

The NIST Special Publication (SP) 800 series are interrelated guidelines and frameworks developed by NIST ITL. Most of the SP 800 publications address information security, data protection and privacy and are primarily designed for the US government, its contractors and suppliers.

Many of the publications are also widely leveraged and adopted by private sector as a recognized industry standard for cybersecurity. In its most recent publications, NIST purposely avoids mentioning “federal information systems” to emphasize their suitability for different industries and sectors of economy. In the private sector of many countries, voluntary but legally binding compliance with the SP 800 series is frequently required from suppliers by the virtue of contract law.

Some US states also incorporated NIST SP 800 publications into their state legislation. For instance, Utah and Ohio enacted the so-called “safe harbor” state laws that, under certain circumstances, provide local entities with an affirmative defense in data breach lawsuits if the compromised entity proves compliance with NIST SP 800-171 or SP 800-53.

What is NIST SP 800-53 for FISMA?

Updated in 2020 for the fifth time, the “Security and Privacy Controls for Information Systems and Organizations, SP 800-53 Rev. 5” is a comprehensive data protection and cybersecurity framework published by NIST as required by the Title III (“Information Security”) of the Federal Information Security Management Act of 2002 (FISMA).

FISMA requires federal agencies to implement a cost-efficient and risk-based data protection program for their information systems and external systems where federal information is stored or processed. The Act expressly mentions confidentiality, integrity and availability of federal data and imposes “protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.” The Act, however, does not provide detailed technical guidance on how the covered governmental entities are supposed to achieve these goals and objectives. To fill out the gap, FISMA instructs and empowers NIST to develop technical standards and guidelines to help federal government meet the imposed data protection objectives. Eventually, in February 2005, NIST published the very first version of SP 800-53 that was later modernized with 5 subsequent revisions.

Under FISMA, compliance with the SP 800-53 shall be reported to the US Office of Management and Budget (OMB) on an annual basis by agency program officials or Chief Information Officers. The OMB then uses compliance reports in its oversight responsibilities and to prepare its own annual report to Congress on the agency’s compliance with FISMA.

In 2014, FISMA was updated with the Federal Information Security Modernization Act of 2014, including, among other things, provision of authority and power to the US Department of Homeland Security (DHS) to assist the OMB in implementation and oversight of FISMA, and update of data breach notification requirements imposed on the federal agencies.

What is the NIST SP 800-53 checklist?

Part 3 (“The Controls”) of the SP 800-53 publication provides 20 sections with multiple subsections dedicated to required security controls and their practical implementation:

3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Assessment, Authorization and Monitoring
3.5 Configuration Management
3.6 Contingency Planning
3.7 Identification and Authentication
3.8 Incident Response
3.9 Maintenance
3.10 Media Protection
3.11 Physical and Environmental Protection
3.12 Planning
3.13 Program Management
3.14 Personnel Security
3.15 Personally Identifiable Information Processing and Transparency
3.16 Risk Assessment
3.17 System and Services Acquisition
3.18 System and Communications Protection
3.19 System and Information Integrity
3.20 Supply Chain Risk Management

The publication brings a risk-based approach to implementation and continuous monitoring of security controls, proportional and adequate to mitigate identified cyber threats. Being a fairly comprehensive framework, the SP 800-53 requires a set of written policies and procedures to be properly maintained.

Among some specific requirements, for instance, the SP 800-53 provides regular vulnerability scanning and penetration testing (Section 3.5) to timely identify and remediate security vulnerabilities. While Section 3.20 explains how to develop, implement and maintain a risk-based strategy to mitigate third-party risks to address growing supply chain attacks.

What is NIST SP 800-171 for FAR, DFARS and CMMC?

Updated in 2021, the “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, SP 800-171 Rev. 2” is a comprehensive cybersecurity and data protection framework developed by NIST and designed to protect the so-called Controlled Unclassified Information (CUI), belonging to the US federal government, from the growing supply chain attacks when stored or processed by third-party contractors.

Compliance with the SP 800-171 is de facto mandatory for all vendors and contractors who wish to do business with the US government and federal agencies. Obligatory compliance is established and regulated by the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) for contractors of the federal government and the US Department of Defense (DoD) respectively.

While there is no express mention of the SP 800-171 in FAR, its Section 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems) provides a set of mandatory security controls from the NIST publication to be implemented by the government contractors and suppliers. Many contracts may specifically mention SP 800-171 and other security requirements for vendors.

The situation is different with DFARS, which is administered by the DoD and supplements FAR provisions for defense contractors. DFARS expressly introduces mandatory compliance with the NIST SP 800-171 for the DoD suppliers from the Defense Industrial Base (DIB) by the virtue of DFARS Section 252.204-7012(b)(2) (“Safeguarding Covered Defense Information and Cyber Incident Reporting”). The Section unambiguously says, “the covered contractor information system shall be subject to the security requirements in NIST SP 800-171” and “contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.” Similar to the PCI DSS CDE scoping, DFARS does not require the covered DoD contractors to flatly apply SP 800-171 security controls to the entirety of contractor’s IT systems, but only to those ones that process, transmit or store CUI. Any exclusions from the scope shall be, however, performed with diligence, carefully documented and disclosed.

To ensure and enforce factual compliance with DFARS, in 2019 the Department of Defense introduced the Cybersecurity Maturity Model Certification (CMMC) aimed to externally audit and certify DoD contractors for the SP 800-171 compliance and some additional security requirements. To provide reasonable flexibility and implement a risk-based approach, CMMC has five consecutive levels with different number of security controls proportional to the sensitivity and volume of data that contractor handles on behalf of the DoD. Level 1 requires implementation of just 17 security controls, while Level 5 demands 171 controls. Importantly, CMMC is closely intertwined with the SP 800-171 and contains a considerable number of its security controls. Compliance with SP 800-171 does not automatically make an entity CMMC-compliant, but it will greatly facilitate and speedup CMMC compliance process.

Mandatory CMMC certification is required by the DFARS Section 252.204-7021 (“Cybersecurity Maturity Model Certification Requirement”) since November 2020 for all DoD suppliers and contractors with some narrow exceptions. Compliance with the requisite CMMC level shall be audited by a Certified 3rd Party Assessment Organization (C3PAO) prior to commencement of contract performance.

For federal contractors and suppliers, a non-conformity with SP 800-171 or CMMC may lead to contract termination, payment of contractually stipulated damages, and further loss of governmental business or even a permanent ban from working with the government.

What is the NIST SP 800-171 checklist?

Part 3 (“The Requirements”) of the SP 800-171 provides 14 sections with numerous subsections that contain specific details and comments on how to implement the requirements:

3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.7 Maintenance
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12 Security Assessment
3.13 System and Communications Protection
3.14 System and Information Integrity

The SP 800-171 introduces a risk-based approach to corporate cybersecurity program. Subsection 3.11.2 sets the foundational basis by imposing organizations to periodically assess the risk to organizational operations, organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of Controlled Unclassified Information (CUI).

Likewise, the SP 800-171 establishes a continuous approach to information security in the next subsection 3.11.2, directing organizations to scan for vulnerabilities in organizational systems and applications periodically and after any updates to the systems. Subsection 3.11.3 concludes with instruction to remediate vulnerabilities in accordance with risk assessments.

NIST compliance ImmuniWeb can help you comply with NIST SP 800-53 and SP 800-171 cybersecurity and data protection requirements. How We Help

What are other NIST Special Publications 800?

Currently, NIST has over 191 Special Publications 800, including drafts and updates. Below are some examples relevant for the emerging cybersecurity and compliance trends.

Updated in 2021, the “Enhanced Security Requirements for Protecting Controlled Unclassified Information, SP 800-172” provides additional security controls for organizations who wish to enhance their SP 800-171 compliance and build highly resilient systems.

To support HIPAA-covered organizations, NIST published the “Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, SP 800-66 Revision 1" dedicated to implementation of the Security Rule under HIPAA/HITECH. The guide is expected to be updated in 2021 to better reflect rapidly evolving cyber threats in healthcare sector.

In response to the growing supply chain attacks against governmental agencies in the US, NIST released “Zero Trust Architecture, SP 800-207” to guide organizations through the creation and maintenance of zero trust networks and IT ecosystems. In a zero-trust architecture, no presumed or implied trust is assigned to any IT assets or users based on their location or ownership.

Finally, the “IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, SP 800-213” gives federal agencies practical guidelines on IoT security best practices. While still being a draft in 2021, the SP 800-213 will likely become the key technical document to detail regulation of IoT security and privacy practices by the federal government.

List of authoritative NIST SP 800-52 and SP 800-171 resources

Share on Twitter Share on LinkedIn Share on Facebook
Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential