NIST 800-171 Compliance

How CimTrak Helps With NIST 800-171 Compliance

Manage Basic Cyber Hygiene and Secure Infrastructures

COMPLIANCE & AUDITING

Continuous compliance with prescriptive steps to remediate failed systems ensuring they are in a trusted and expected state.

RISK MANAGEMENT

Monitor critical configurations to ensure a compliant state. CimTrak operates in real-time enabling Mean-Time-To-Identify (MTTI) security incidents in seconds.

MANAGE VULNERABILITIES

Monitor your environment. Don't let unauthorized access occur with your routers, firewalls, and network devices.

CimTrak Simplifies NIST 800-171 Compliance

NIST special publication 800-171, called the Defense Federal Acquisition Regulation Supplement (DFARS), deals with the unique risk existing when information is managed and controlled in nonfederal systems and organizations where Controlled Unclassified Information (CUI) is processed, stored, and transmitted.

NIST 800-171 Rev2

CimTrak addresses

3.1 Access Control (AC)
3.3 Audit and Accountability (AU)
3.4 Configuration Management (CM)
3.8 Media Protection (MP)
3.11 Risk Assessment (RA)
3.12 Security Assessment (CA)
3.13 System and Communications Protection (SC)
3.14 System and Information Integrity (SI)

What about NFO Controls?

NIST 800-171 is comprised of 14 control categories totaling 110 controls in addition to another 62 Non-Federal Organization (NFO) controls.

As defined by NIST 800-171, NFO controls are “expected to be routinely satisfied by non-federal organizations without specification.”
In this context, the term “without specification” means that NIST approaches these NFO requirements as basic expectations that do not need a detailed description, since they are fundamental components of any organization’s security program.

Of the 14 control categories, 110 controls and 62 NFO controls, CimTrak addresses 8 control categories, 33 discrete controls and 13 NFO controls.

A crosswalk is given for all CimTrak products if they provide a control, automated scan, or enable a process, procedure or policy to assist with the evidence collection to meet the objective of a defined domain, category, control, standard, component or assessment factor.

NFO Controls CimTrak Addresses

SA-10 Developer Configuration Management
SI-1 System and Information Integrity Policy and Procedures
SI-4(5) Information System Monitoring | System-Generated Alerts
AU-1 Audit and Accountability Policy and Procedures
CA-7(1) Continuous Monitoring | Independent Assessment
CM-1 Configuration Management Policy and Procedures
CM-2(1) Baseline Configuration | Reviews and Updates
CM-2(7) Baseline Configuration | Configure Systems, Components, or Devices for High-Risk Areas
CM-3(2) Configuration Change Control Test / Validate / Document Changes
CM-8(5) Information System Component Inventory | No Duplicate Accounting of Components
CM-9 Configuration Management Plan
RA-5(1) Vulnerability Scanning | Update Tool Capability
RA-5(2) Vulnerability Scanning | Update by Frequency / Prior to New Scan / When Identified

Complying with 800-171 does not mean you will automatically pass a CMMC audit, as CMMC includes 3 additional domains (Asset Management, Recovery, and Situation Awareness) and 2 non-NIST 800-171 controls.