The NIST 800-171 standards may seem a bit overwhelming to those who are just starting to venture out into the world of cybersecurity planning. There are a total of 109 controls or requirements divided among the 14 families within NIST 800-171. Understanding and implementing changes to address each will take some time— typically six months or longer.

Getting started is the first hurdle. Especially since the first family, Access Control starts off with a list of 22 controls! I’d recommend you go through NIST 800-171 with a “choose your own adventure” style. Rather than starting on page one and sequentially addressing each family or control in order, review each family and skim the controls within to find those that are easiest for your business to address first.

Customizing your sequence of addressing the controls will make the process more meaningful and more efficient for you. Plus, you’ll gain familiarity with the standards as you work through the easiest-for-you controls which will make the more complicated controls more understandable.

I even have five recommended controls to start you out in your adventure:

1. User awareness—phishing
2. Two-factor authentication
3. Patching
4. Firewalling
5. Antivirus/antimalware

User awareness/phishing is part of the awareness and training family. Education and training are very important to any cybersecurity program! Even with the best technology protections in place, one human error can open your systems up to a threat. Keeping everyone aware of cybersecurity risks and how their actions and activities impact those risks is the backbone of any cybersecurity plan. I recommend starting out with awareness training on phishing because phishing remains the number one way for outsiders to gain access to your system. People continue to fall victim to phishing scams and click links and even provide usernames and passwords to imposters.

To get an idea of how a phishing attack works check out the Cybersecurity Incident Response video featuring Deb Crawford, Internet of Things (IoT) Research Lead at the Laboratory for Analytic Sciences at North Carolina State University.

Two-factor authentication is part of the identification and authentication family.  Implementing two-factor (or multi-factor) authentication protects your system by adding a layer of security around access point to your systems. This can prevent unauthorized access to your system using a stolen or compromised username and password.

With two-factor authentication, a person attempting to log in to your system would need to go through two steps to verify that they are allowed on the system. First, they would need a username and password. Second, they may need to enter an access code they retrieve from their smartphone. Or, perhaps they need to scan their fingerprint. It is often described as “something you know and something you have.” The password is something that the person knows and the smartphone or finger is something that they have.

Patching is part of the configuration management family. Keeping your software programs and hardware patched closes another popular vulnerability that exposes your assets. Many successful hacks are made possible through the exploitation of outdated or unpatched software. Make sure to update your operating system, antivirus program and definitions, malware detection software, firewall and any software applications and hardware devices that run on or are connected to your systems. Apply patches as soon as possible and regularly check for upcoming updates that can be scheduled to run in advance.

Firewalling is part of the system and communication protection family. A firewall is your boundary protection keeping your systems separated from the outside world. It monitors inbound and outbound communication happening in your network. The firewall is the first line of defense that can block unauthorized access to your system while still allowing your system to communicate with designated parts of the outside world. Your firewall should be set to deny all network communications and allow only authorized communications using permit by exception.

Antivirus/Antimalware is part of the system and information integrity family. Viruses, worms, hijackers, Trojans, Spyware, Adware, Ransomware and more are abundant. These attacks are looking for any vulnerability to get into your system. An early line of defense is having antivirus and antimalware programs running on your systems. Run scans of your system regularly. Set these program to alert an administrator of any malicious code detection while also blocking off the code from your system. And, always keep the programs and definitions updated!


Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.