NIST 800-171: 6 things you need to know about this new learning path
Too many businesses are dangerously ignorant about NIST 800-171. That’s the battle cry from Dave Hatter, an in-the-trench cyber defender and Infosec author. “When nation-state actors from China, Russia and North Korea are trying to steal information,” says Dave, “we need to raise awareness.”
NIST 800-171, a cybersecurity framework of 110 controls published by the National Institute of Standards and Technology (NIST), is growing in importance and mandatory for some manufacturers contracting with the government.
If you’re looking to break into cybersecurity and you’re policy-oriented, this path is a ticket to a lucrative career. If you’re already defending against cyber threats, NIST 800-171 will significantly increase your success.
“Nothing's foolproof,” states Dave Hatter, with perspective garnered over 30 years as an IT veteran. “There's no way to be absolutely unhackable, but if you implemented all 110 of these controls, there's no doubt you would be vastly more secure than other businesses.”
We talked to Hatter about his new 800-171 learning path, who should take these courses and his take on closing the skills gap and entering the field.
Why did you create the NIST 800-171 learning path?
Dave: I spent 25 years as a software engineer and increasingly realized that most software developers have little to no training and cybersecurity. Our entire society depends on software; it’s a good time to raise awareness.
As a guy in the trenches writing software, I used to see the security people as the enemy slowing me down, creating impediments and making me miss my deadlines and budgets. But, I have a whole new perspective now. I believe cybersecurity is vital in general and critical in the manufacturing and DoD space.
Eventually, you're going to see most, if not all, companies having to comply with some aspects of NIST-171 to get assurance and comply with some type of government regulation. NIST-171 is a big mountain to climb. This path helps you get there.
Watch Dave Hatter talk about cybersecurity careers on the Cyber Work Podcast
Who should take these courses?
Dave: Any IT professional interested in cybersecurity or cybersecurity professional. There's value to anyone that cares about cybersecurity in understanding 800-171 and attempting to comply with some or all of the controls. These courses are most relevant for folks who are dealing with the government.
If you're an employee of an organization facing compliance, these courses will give you a leg up. You’ll have the advantage of all the information we've compiled and shared here versus trying to figure this out yourself. You could find a lot of information out there, but stuff's all over the map. Here, you’ll have an excellent understanding of what you need to do and some tips, tricks and tools on how to do it.
What will students learn?
Dave: This learning path will teach you how to comply with the requirements of NIST 800-171.
We'll look at the history of NIST and how we got to where we are. We’ll ask, what does 800-171 mean? Who does it apply to? Students will learn about the 14 families of the 110 controls. You’ll learn tools for managing the NIST process and implementing the controls. I’ll walk you through screenshot examples of how to illustrate evidence that you’ve complied with specific controls.
Even if you're not attempting to be 800-171 compliant with all 110 controls, there's a lot of useful guidance here.
What are the NIST 800-171 learning path benefits?
Dave: As an aspiring or current cybersecurity professional having this in your toolbox opens opportunities because companies need help. Especially once CMMC 2.0 (the bulk of which is from NIST 800-17) becomes a thing and you're forced to comply. For anyone attempting to tackle this the first time on their own, I can guarantee they will be overwhelmed by it.
Originally NIST 801-171 was self-assessment-based, but with CMMC for certain types of businesses, you’ll have to have third-party assessors validate that what you said is accurate. You’ll be required to show evidence of how you have complied and managed the process. This path gives you the knowledge and skills to implement the controls and build your body of evidence (BOE).
What should students learn after taking these courses?
Dave: The next logical step is a more deep dive into CMMC 2.0, the bulk of it being based on these 110 controls. I also recommend getting the certifications I have, like CISA and CISSP and learning about regulatory compliance to ask the right kind of questions. These certifications will help you craft the policies companies need to comply with specific controls.
What’s your take on closing the skills gap and advice for entering the field?
I think there are a lot of unrealistic qualification expectations. Fortunately, companies like Google are cracking those barriers adopting an apprenticeship mindset and in-house training. Infosec is also doing right, with actual people in the security trenches teaching others.
A lot of people don’t understand IT, or how much fun it can be. It can be frustrating, but it can be extremely rewarding and lucrative. We don’t do a good job educating high school students about the opportunities here and that you don't have to be a math nerd. You don't have to be a programmer to succeed in many of these careers.
Particularly in this compliance space, it’s all about policies. It's do you have a policy for X, and the answer I find in most cases with small and medium-sized businesses is no. We don't have any sort of policy like that.
You don't have to know how to configure a Linux machine to write a policy and protect society. With cyberattacks increasingly having real-world impacts, there are amazing employment and advancement opportunities for curious people who have a continuous improvement outlook.
To learn more about Dave Hatter’s NIST 800-171 learning path, create your free Infosec Skills account.