Initially introduced in June 2015 and updated to Rev 2 in February 2020, the NIST SP 800-171 is an exhaustive security framework that applies to components of nonfederal systems that process, store, or transmit CUI or that provide security protection for such system components. These components include mainframes, workstations, servers, I/O devices, network components, networking systems, storage devices, virtual machines, and applications.
Applicability of NIST 800-171:
NIST 800-171 was created to fulfill the responsibilities of NIST under the Federal Information Security Modernization Act (FISMA), and its implementation is necessary for all manufacturers (Contractors) who want to work with the Department of Defense (DoD), General Services Administration (GSA), National Aeronautics & Space Administration (NASA) and other federal or state agencies.
As per the official document (Page 2 of Chapter 1), “Nonfederal organizations that collect or maintain information on behalf of a federal agency or that use or operate a system on behalf of an agency, must comply with the requirements in FISMA, including the requirements in FIPS 200 and the security controls in SP 800-53.”
Implementing the requirements of NIST SP 800-171 helps contractors demonstrate that they have adequate security provisions for protecting covered information to comply with Federal Acquisition Regulation (FAR) & Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
The scope of NIST SP 800-171 is comprehensive, but for this article, we will only focus on its digital media sanitization requirements for protecting CUI.
What is Controlled Unclassified Information (CUI)?
CUI, or Controlled Unclassified Information, is a type of sensitive information within the US federal system. This type of information is not classified, yet it requires protection to safeguard it from unauthorized access.
A few examples of CUI include:
- Personally Identifiable Information (PII): Any information that can identify a specific individual and includes details like name, email ID, address, Social Security Number (SSN), Date of Birth (DOB), etc.
- Sensitive But Unclassified (SBU): Any sensitive information that is not classified but still requires protection, like research data, proprietary information, etc.
- Proprietary Business Information (PBI): Any information exclusive to a company or a business is PBI; it can include business strategies, product blueprints, client information, etc. It is any information that, if accessed by unauthorized persons, can harm a business or company.
- For Official Use Only (FOUO): Any information within the US federal system not meant for public release is FOUO. It can include office correspondence, inter-department communication, government reports, critical infrastructure details, etc.
President Obama established the CUI program in 2008, and it operates under the purview of the National Archives and Records Administration (NARA), with oversight responsibilities falling to the Information Security Oversight Office (ISSO) acting as the Executive Agent (EA). As cited in the official document, page 29 of chapter 3, “NARA policy and guidance control sanitization processes for controlled unclassified information.”
The purpose of the CUI program is to replace individual agency information classifications like PII, SBU, PBI, and FOUO under a common umbrella term, CUI, to facilitate seamless sharing and safeguarding of sensitive information within federal bodies and contractors. Federal contractors, especially those working within the Defense Industrial Base (DIB), must obtain a compliance certification from Cybersecurity Maturity Model Certification (CMMC). The CMMC 2.0 compliance requirements closely align with NIST SP 800-171 & NIST SP 800-172 guidelines.
Notably, Media sanitization plays an essential role in protecting CUI and meeting CMMC compliance. You can read our article to learn about CMMC media sanitization requirements.
NIST 800-171 Media Sanitization Requirements for CUI Protection:
Media Sanitization refers to the process of permanently removing data from digital storage media found in workstations, networking equipment, scanners, copiers, computers, laptops, Macs, notebooks, mobile devices, etc.
NIST 800 171 CUI Protection guidelines state the derived security requirements alongside basic security requirements for media protection before disposal or release for reuse. Both the requirements are stated in sections 3.7.3 & 3.8.3, respectively; let us discuss them in detail:
Maintenance (Section 3.7)
- Derived Security Requirements Section 3.7.3 (Page 28)
“Ensure equipment removed for off-site maintenance is sanitized of any CUI”
This requirement addresses information security for any device containing CUI being sent off-site for maintenance, which must be sanitized before leaving the premises.
For media sanitization, NIST 800-171 recommends following NIST SP 800-88 Media Sanitization guidelines based on data classification.
Media Protection (Section 3.8)
- Basic Security Requirements Section 3.8.3 (Page 29)
“Sanitize or destroy system media containing CUI before disposal or release for reuse.”
This requirement applies to any system or storage media containing CUI, including Digital media like laptops, desktops, Mac devices, hard drives, SSDs, mobile devices, etc., and Non-Digital media like paper, microfilms, etc. The media must be sanitized or destroyed before it is reused or disposed of. To prevent unauthorized disclosure of CUI, NIST 800-171 recommends using sanitization techniques like clearing, purging, cryptographic erase, or physical destruction. You can consult the official document of NIST 800-88 Media Sanitization guidelines to understand the specific procedures of each method or refer to our article on NIST Clear, NIST Purge, or Data Destruction Methods & Techniques.
The publication further references Media Sanitization in Appendix D (Mapping Tables). The purpose of the tables is to map the primary and derived security needs to specific security controls, like NIST SP 800-53 and ISO 27001.
NIST 800-171 SECURITY REQUIREMENTS
|
NIST SP 800-53 Controls
|
ISO 27001 Controls
|
Section 3.7.3
Derived Security Requirements
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
|
MA-2
Controlled Maintenance
|
A.1.7.9
Security of Assets on offsite premises
A.1.7.13
Equipment Maintenance, integrity & confidentiality of information
|
Section 3.8.3
Basic Security Requirements
Sanitize or destroy system media containing CUI before disposal or release for reuse.
|
MP-6
Media Sanitization
|
A.1.7.10
Information Deletion/Disposal through device lifecycle
A1.7.14
Secure Disposal or reuse of equipment
Overwrite & Verify before disposal
|
Safeguard CUI: Sanitize Media Using BitRaser
BitRaser can help federal contractors and manufacturers comply with NIST 800-171 by permanently wiping CUI from digital media. The drive eraser software is a NIST & DHS tested drive-wiping tool that can erase data from all types of HDD and SSD in laptops, desktops, Macs, and servers using globally recognized standards like NIST 800-88 Clear & Purge, US DoD 5220.22, HMG IS5, etc. Moreover, BitRaser is also certified by Common Criteria, which is considered the highest standard of Information Technology Security Evaluation.
BitRaser will permanently wipe CUI and generate a Certificate of Erasure modeled after NIST 800-88 ‘Certificate of Sanitization’. It helps contractors demonstrate that their devices have been permanently wiped and no fragments of CUI remain on their drives or devices. The mobile eraser variant is also available for wiping mobile devices.