NIST 800-171 compliance
Maytech’s information security management system (ISMS) is compliant with NIST 800-171 and is certified with the international standard ISO 27001:2013 for which we are audited twice a year by Lloyd’s Register Quality Assurance, one of the leading business assurance providers globally.
This article explains the NIST 800-171 standard and the corresponding areas of the international standard for information security ISO 27001. Skip to the end for a breakdown of areas which do not map directly, but which Maytech is compliant with.
Further information is available on our Nist 800-171 compliance data sheet.
What is NIST 800-171?
NIST 800-171 guidelines were developed by the National Institute of Standards of Technology, a non-regulatory agency of the United States Department of Commerce.
Their purpose is to provide recommendations on security controls for information systems at companies dealing with federal agencies, thus helping them ensure compliance with HIPAA, SOX, and other related US regulations.
While not an international standard, this set of recommendations is, in fact, a US equivalent to ISO 27001.
Proving compliance with NIST 800-171
ISO 27001 and NIST 800-171 both cover the same areas of information security, but there are differences in the way they are implemented, so one does not precisely map to the other. A process of clarification is required to demonstrate compliance, depending on which standard you are operating under.
Similarities Between NIST 800-171 and ISO 27001
Even though NIST 800-171 and ISO 27001 have some differences, there are lots of similarities between the two. While NIST 800-171 is designed specifically for non-Federal (commercial) enterprises, with a separate set of guidelines – NIST 800-57 – developed to cover Federal systems and organisations, ISO 27001 is a more general standard and can be applicable to organisations of all types.
Both NIST 800-171 and NIST 800-57 can be mapped to each other, as well as the international ISO 27001 standard in the key control areas, including:
- Authorise Access to Security Functions
- Non-Privileged Access for Non-security Functions
- Auditing Use of Privileged Functions
- Automated Monitoring / Control
- Protection of Confidentiality / Integrity Using Encryption
- Managed Access Control Points
- Authentication and Encryption
- Full Device / Container-Based Encryption
- Portable Storage Devices
- Publicly Accessible Content
- Role-Based Security
- Processing Failures
- Configuration Settings
- Device Identification and Authentication
- Password-Based Authentication
- Incident Monitoring
- Cryptographic Protection
- Risk Assessment
- Vulnerability Scanning
- Voice over Internet Protocol
- Protection of Information at Rest
- Security Alerts, Advisories, and Directives
- Inbound and Outbound Communications Traffic
Indirect Mappings: ISO 27001 to NIST 800-171
Appendix D of the NIST 800-171 (Revision 1) publication maps each requirement statement against the equivalent control in ISO 27001.
There are some NIST 800-171 requirements which have no direct mapping, or the equivalent ISO 27001 control has an asterisk against it, indicating that the ISO control “does not fully satisfy the intent of the NIST control”. For each of these areas, Maytech is compliant and can provide further details for each of the specific areas on request.
Please see the table below containing details of the specific differences, taken from Appendix D of NIST 800-171:
NIST 800-171 requirement | NIST SP 800-53
relevant security controls |
Maytech compliance status | |
3.1.5 | AC-6(1) | Least Privilege
Authorize Access to Security Functions |
|
AC-6(5) | Least Privilege
Privileged Accounts |
||
3.1.6 | AC-6(2) | Least Privilege
Non-Privileged Access for Non-security Functions |
|
3.1.7 | AC-6(9) | Least Privilege
Auditing Use of Privileged Functions |
|
AC-6(10) | Least Privilege
Prohibit Non-Privileged Users from Executing Privileged Functions |
||
3.1.10 | AC-11(1) | Session Lock
Pattern-Hiding Displays |
|
3.1.11 | AC-12 | Session Termination | |
3.1.12 | AC-17(1) | Remote Access
Automated Monitoring / Control |
|
3.1.13 | AC-17(2) | Remote Access
Protection of Confidentiality / Integrity Using Encryption |
|
3.1.14 | AC-17(3) | Remote Access
Managed Access Control Points |
|
3.1.15 | AC-17(4) | Remote Access
Privileged Commands / Access |
|
3.1.17 | AC-18(1) | Wireless Access
Authentication and Encryption |
|
3.1.19 | AC-19(5) | Access Control for Mobile Devices
Full Device / Container-Based Encryption |
|
3.1.20 | AC-20(1) | Use of External Systems
Limits on Authorized Use |
|
3.1.21 | AC-20(2) | Use of External Systems
Portable Storage Devices |
|
3.1.22 | AC-22 | Publicly Accessible Content | |
3.2.1-3.2.2 | AT-3 | Role-Based Security | |
3.2.3 | AT-2(2) | Security Awareness Training
Insider Threat |
|
3.3.1-3.3.2 | AU-2 | Audit events | |
AU-3 | Content of Audit Records | ||
AU-3(1) | Content of Audit Records
Additional Audit Information |
||
3.3.3 | AU-2(3) | Audit events
Reviews and Updates |
|
3.3.4 | AU-5 | Response to Audit
Processing Failures |
|
3.3.5 | AU-6(3) | Audit Review, Analysis, and Reporting
Correlate Audit Repositories |
|
3.3.6 | AU-7 | Audit Reduction and Report Generation | |
3.3.7 | AU-8(1) | Time Stamps
Synchronization with Authoritative Time Source |
|
3.3.9 | AU-9(4) | Protection of Audit Information
Access by Subset of Privileged Users |
|
3.4.1, 3.4.2 | CM-2 | Baseline Configuration | |
CM-6 | Configuration Settings | ||
CM-8(1) | System Component Inventory
Updates During Installations / Removals |
||
3.4.6 | CM-7 | Least Functionality | |
3.4.7 | CM-7(1) | Least Functionality
Periodic Review |
|
CM-7(2) | Least Functionality
Prevent program execution |
||
3.4.8 | CM-7(4) | Least Functionality
Unauthorized Software/ Blacklisting |
|
CM-7(5) | Least Functionality
Authorized Software/ Whitelisting |
||
3.5.1, 3.5.2 | IA-3 | Device Identification and Authentication | |
3.5.3 | IA-2(1) | Identification and Authentication (Organisational Users)
Network Access to Privileged Accounts |
|
IA-2(2) | Identification and Authentication (Organisational Users)
Network Access to Non-Privileged Accounts |
||
IA-2(3) | Identification and Authentication (Organisational Users)
Local Access to Privileged Accounts |
||
3.5.4 | IA-2(8) | Identification and Authentication (Organisational Users)
Network Access to Privileged Accounts-Replay Resistant |
|
IA-2(9) | Identification and Authentication (Organisational Users)
Network Access to Non- Privileged Accounts-Replay Resistant |
||
3.5.7-10 | IA-5(1) | Authenticator Management
Password-Based Authentication |
|
3.6.1 | IR-2 | Incident Response Training | |
3.6.1-2 | IR-5 | Incident Monitoring | |
IR-7 | Incident Response Assistance | ||
3.6.3 | IR-3 | Incident Response Testing | |
3.7.1 | MA-2 | Controlled Maintenance | |
3.7.1-2 | MA-3 | Maintenance Tools | |
MA-3(1) | Maintenance Tools
Inspect Tools |
||
MA-3(2) | Maintenance Tools
Inspect Media |
||
3.7.3 | MA-2 | Controlled Maintenance | |
3.7.4 | MA-3(2) | Maintenance Tools | |
3.7.5 | MA-4 | Non-local Maintenance | |
3.7.6 | MA-5 | Maintenance Personnel | |
3.8.6 | MP-5(4) | Media Transport
Cryptographic Protection |
|
3.8.8 | MP-7(1) | Media Use
Prohibit Use Without Owner |
|
3.10.1 | PE-2 | Physical Access Authorizations | |
3.10.1-2 | PE-6 | Monitoring Physical Access | |
3.11.1 | RA-3 | Risk Assessment | |
3.11.2, 3.11.3 | RA-5 | Vulnerability Scanning | |
3.11.2 | RA-5(5) | Vulnerability Scanning
Privileged Access |
|
3.12 | CA-5 | Plan of Action and Milestones | |
CA-7 | Continuous Monitoring | ||
3.13.3 | SC-2 | Application Partitioning | |
3.13.4 | SC-4 | Information in Shared Resources | |
3.13.6 | SC-7(5) | Boundary Protection
Deny by Default / Allow by Exception |
|
3.13.7 | SC-7(7) | Boundary Protection
Prevent Split Tunneling for Remote Devices |
|
SC-8(1) | Transmission Confidentiality and Integrity
Cryptographic or Alternate Physical Protection |
||
3.13.12 | SC-15 | Collaborative Computing Devices | |
3.13.13 | SC-18 | Mobile Code | |
3.13.14 | SC-19 | Voice over Internet Protocol | |
3.13.15 | SC-23 | Session Authenticity | |
3.13.16 | SC-28 | Protection of Information at Rest | |
3.14.3 | SI-5 | Security Alerts, Advisories, and Directives | |
3.14.6 | SI-4 | System Monitoring | |
SI-4(4) | System Monitoring
Inbound and Outbound Communications Traffic |
||
3.14.7 | SI-4 | System Monitoring |
Maytech is a security specialist and works hard to maintain a very secure file sharing platform for our customers. If you have any questions on compliance or our services, please contact us to discuss the specific requirements for your organization.