Overview
The following is a guide for NIST 800-171 compliance. The introduction section includes a background on NIST and how being part of the CSP (Cloud Solution Provider) program with Microsoft can help. Then, the implementation section goes over how to use Microsoft’s Compliance center to adopt best practices.
Introduction
What is NIST?
The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life. Federal Information Security Modernization Act (FISMA) established NIST as the responsible agency for development of information security standards and guidelines for federal information systems. NIST published Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” or NIST 800-171 for short.
NIST 800-171 is a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities. NIST based 800-171 on 800-53, but removed controls, or parts of controls, that were uniquely federal not expected by nonfederal organizations. However, don’t let this fool you into thinking that compliance is easy.
NIST + Office 365
Not many people think of Office365’s productivity stack when it comes to maintaining compliance but it is actually a great solution that is completely affordable for most organizations. You have the ability to implement security solutions to satisfy the requirements from NIST 800-171 by using Microsoft’s CSP program. NIST has a total of 109 comprehensive set of requirements so its nothing to mess around with! Micosoft has released their Compliance Manager portal which helps you meet data protection and regulatory requirements. I am going to take you through this portal and show you how to set up an assessment specifically for NIST 800-171
Compliance Manager
Implementation Steps:
Sign In
https://servicetrust.microsoft.com/ComplianceManager
Score
After the Assessment is created you will receive a new table with a “score” the numerator is the amount of points you have accumulated with current systems in place and the denominator is the potential points you can earn. You can click on Actions>Review your actions to see a list of task to complete
Microsoft Managed Controls
You will notice that Microsoft has already conducted its own personal audit and you can see a list of their activities by expanding this tab
Customer Managed Controls
You will notice that Microsoft has already conducted its own personal audit and you can see a list of their activities by expanding this tab
Expand
If you expand each section, you will notice more detailed information and the sections have a project management like feel
Project Management
You can Assign these task to users, add relevant documents, select status’, implement test dates, and more
Obtain KBs
If you expand the “more” Icon, you can drill into customer actions to get more detailed information on what this part of the compliance entails and steps you can take to gain points/obtain compliancy in 365. Additionally you can add notes to this tab that all users who enter the portal can see
Guides
Clicking the Read More button as you see above will give you even more detail and links to support articles that walk you through detailed implementation
Support/Setup
Scrolling down even further, we have more links to relevant KB articles
Conclusion
This is the first iteration of this documentation. Ideally you would want to have a step-by-step guide walking through setup of what they recommend rather than reading through many support articles. You can walk through each step and configure the controls they recommend to boost your score in the Compliance Center. You should use this as a project management template and separate the working and testing among your team. Version 2.0 of this documentation will include a step-by-step guide for implementation.