NIST SP 800-171

  • Artikel
  • 9 menit untuk membaca

NIST SP 800-171 overview

The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations. It is tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI. NIST SP 800-171 is intended to be used by federal agencies in contracts or other agreements established with nonfederal organizations.

The CUI Registry provides specific categories of information that is under protection by the Executive branch, for example, more than 20 category groupings are included in the CUI category list, such as:

Azure and NIST SP 800-171

The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).

Mapping tables in the NIST SP 800-171 Appendix D (D1 through D14) provide control mapping between CUI security requirements and relevant security controls in NIST SP 800-53, indicating that NIST SP 800-171 represents a subset of the NIST SP 800-53 controls for which Azure has already been assessed and authorized under FedRAMP. Therefore, you can be assured that FedRAMP High baseline addresses fully and exceeds the requirements of NIST SP 800-171. All Azure and Azure Government services that have received FedRAMP High P-ATO conform to the NIST SP 800-171 requirements and can accommodate customers looking to deploy CUI workloads.

Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure Government meets the criteria in the NIST SP 800-171 if the system processes CUI. Customers can download the 3PAO attestation letter from the Azure Government portal audit reports blade (sign in required).

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to NIST SP 800-171 compliance domains and controls:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each NIST SP 800-171 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Azure and U-NNPI

The Naval Nuclear Propulsion Program was created under Executive Order 12344 (see also 50 USC 2511). It comprises the military and civilian personnel who design, build, operate, maintain, and manage the nuclear-powered ships and the many facilities that support the US nuclear-powered naval fleet. The program provides the design, development, and operational support required to enable militarily effective nuclear propulsion plants and ensure their safe, reliable and long-lived operation.

Naval Nuclear Propulsion Information (NNPI) that is designated as CUI is listed in the CUI category list. Unclassified NNPI (U-NNPI) is marked Not Releasable to Foreign Nationals (NOFORN), and it may not be released publicly or disclosed to foreign nationals. Table 1 and Exhibit 1 in OPNAVINST N9210.3 Safeguarding of Naval Nuclear Propulsion Information (NNPI) discuss the different classification levels/handling controls for NNPI, including access requirements for U-NNPI. Azure Government can accommodate U-NNPI workloads because it is designed to meet specific controls that restrict access to information and systems to US persons among Azure operations personnel. Azure Government also imposes background screening requirements mandated by US Government on operations personnel with access to production systems. For more information, see Screening and Azure support for export controls. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure Government has implemented the security controls that are part of the Navy's security overlay.

Note

You must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting unclassified NNPI (U-NNPI) on Azure Government.

Applicability

  • Azure
  • Azure Government

Services in scope

  • Azure services in scope for NIST SP 800-171 reflect Azure FedRAMP High scope.
  • Azure Government services in scope for NIST SP 800-171 reflect Azure Government FedRAMP High scope.

Office 365 and NIST SP 800-171

For more information about Office 365 compliance, see Office 365 NIST SP 800-171 documentation.

Attestation documents

You can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP.

An accredited third-party assessment organization (3PAO) has attested that Azure Government meets the criteria in the NIST SP 800-171 if the system processes CUI. Moreover, a separate attestation of compliance regarding the Naval Nuclear Propulsion Information (NNPI) is provided to show that Azure Government has implemented the security controls that are part of the Navy's security overlay. You must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting U-NNPI in Azure Government.

You can access certain audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Microsoft Defender for Cloud > Regulatory compliance > Audit reports or using direct links based on your subscription (sign in required).

You must have an existing subscription or free trial account in Azure or Azure Government to download audit documents. The following documents are available:

  • Azure Commercial System Security Plan (SSP) is available from the Service Trust Portal (STP) Audit Reports – FedRAMP Reports section. You must sign in to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.
  • Azure Government – Attestation of Compliance with NIST SP 800-171 is available from the Azure Government portal.
  • Azure Government – Attestation of Compliance with NNPI is available from the Azure Government portal.

Select Azure Government FedRAMP documentation, including System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, are available under NDA and pending access authorization from the Service Trust Portal Audit Reports – FedRAMP Reports section. Contact your Microsoft account representative for assistance.

Frequently asked questions

Can I use Azure NIST SP 800-171 compliance offering for my organization?
Yes. You may use Azure or Azure Government FedRAMP High P-ATO as the foundation for any compliance program that relies on NIST SP 800-53 control requirements, including NIST SP 800-171. Control implementation details are documented in the FedRAMP System Security Plan (SSP). Moreover, you may also benefit from an attestation produced by a 3PAO that Azure Government meets the criteria in the NIST SP 800-171 if the system processes CUI. These reports attest to the effectiveness of the controls Microsoft has implemented for in-scope cloud services. Microsoft doesn't inspect, approve, or monitor your Azure applications. You're responsible for ensuring that your CUI workloads comply with NIST SP 800-171 guidelines.

Where can I get the Azure NIST SP 800-171 attestation documents?
For links to audit documentation, see Attestation documents. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Should I use Azure or Azure Government for workloads that are subject to NIST SP 800-171?
You're wholly responsible for ensuring your own compliance with all applicable laws and regulations, and should consult your legal advisor for questions regarding regulatory compliance. Azure and Azure Government have the same security controls in place, including the same provisions for the safeguarding of customer data. For example, both cloud environments provide the same controls for data encryption, including support for customer-managed encryption keys stored in FIPS 140 validated hardware security modules (HSMs) managed by Azure Key Vault.

The Azure Policy regulatory compliance built-in initiative maps to NIST SP 800-171 compliance domains and controls in both Azure and Azure Government. Azure Policy helps to enforce organizational standards and assess compliance at scale. The cloud environment decision will rest with you based on your business requirements. Most US government agencies and their partners are best aligned with Azure Government, which provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

Can Azure Government accommodate U-NNPI?
Yes; however, you must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting U-NNPI in Azure Government. Naval Nuclear Propulsion Information (NNPI) that is designated as CUI is listed in the CUI category list. Unclassified NNPI (U-NNPI) is marked Not Releasable to Foreign Nationals (NOFORN), and it not be released publicly or disclosed to foreign nationals. Azure Government can accommodate U-NNPI workloads because it is designed to meet specific controls that restrict access to information and systems to US persons among Azure operations personnel. Azure Government also imposes background screening requirements mandated by US Government on operations personnel with access to production systems. For more information, see Screening and Azure support for export controls. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure Government has implemented the security controls that are part of the Navy's security overlay.

Resources