Skip to main content

Scoring a NIST 800-171 Assessment in Office 365's Compliance Manager

Nick Ross3 min read
Ensuring NIST 800-171 Compliance with Office 365

TL;DR

  • NIST 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,' has 109 requirements and applies to non-federal organizations handling CUI in support of federal activities.
  • As of June 2018, Microsoft's Compliance Manager portal turns NIST 800-171 into a scored assessment you can build against Office 365 in a few minutes.
  • The assessment score is a fraction: the numerator is points earned by controls already in place, the denominator is the total points available.
  • Microsoft-managed controls are scored automatically because Microsoft has already audited its own side; customer-managed controls are the work assigned to your team.
  • Each control expands into a project-management view where you assign owners, attach documents, set test dates, and read Microsoft's implementation guidance.

Most teams do not think of the Office 365 productivity stack as a compliance platform, but as of June 2018 it is a genuinely affordable way to work toward NIST 800-171. Microsoft's Compliance Manager portal takes the framework's 109 requirements and turns them into a scored, assignable assessment you manage like a project. This guide explains what NIST 800-171 covers and walks the build of a NIST assessment from a blank portal to a working task list.

What is NIST 800-171, and who has to meet it?

The National Institute of Standards and Technology is the United States agency tasked with advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life. The Federal Information Security Modernization Act (FISMA) established NIST as the agency responsible for developing information security standards and guidelines for federal information systems. NIST published Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," or NIST 800-171 for short.

NIST publication 800-171

NIST 800-171 is a guideline for non-federal organizations that must securely process Controlled Unclassified Information (CUI) within internal and external information systems in support of federal activities. NIST based 800-171 on 800-53 but removed controls, or parts of controls, that were uniquely federal and not expected of nonfederal organizations. Do not let that fool you into thinking compliance is easy.

NIST framework diagram

Why Office 365 fits NIST 800-171

Office 365 logo

Office 365 gives you the ability to implement the security solutions that satisfy NIST 800-171 requirements through Microsoft's CSP program, and it is affordable for most organizations. NIST 800-171 has 109 comprehensive requirements, so it is nothing to mess around with. Microsoft released its Compliance Manager portal (opens in new tab) to help you meet data protection and regulatory requirements. The rest of this guide walks through setting up an assessment specifically for NIST 800-171.

Compliance Manager dashboard

Building the NIST 800-171 assessment, step by step

Sign in

Go to https://servicetrust.microsoft.com/ComplianceManager (opens in new tab) and sign in.

Compliance Manager sign-in

Add an assessment

Scroll down and click + Add Assessment on the right.

Add Assessment button

Create a group

Click Create new group and add a group name, "NIST."

Creating a new group named NIST

Copy data from the default group

Copy data from the default group.

Copying data from the default group

Select the product

Select "Office 365" for the product being evaluated.

Selecting Office 365 as the product

Select the assessment

Select "NIST 800-171."

Selecting NIST 800-171 as the assessment

Read your score

After the assessment is created, you get a table with a score. The numerator is the points you have accumulated with current systems in place, and the denominator is the potential points you can earn. Click Actions > Review your actions to see the list of tasks to complete.

Assessment score table

Working the assessment as a project

Microsoft-managed controls

Microsoft has already conducted its own audit. Expand this tab to see the list of Microsoft-managed activities that are scored on your behalf.

Microsoft-managed controls expanded

Customer-managed controls

These are the controls your team is responsible for. Expand this tab to see them.

Customer-managed controls expanded

Drill into the detail

Expanding each section reveals more detailed information, and the sections have a project-management feel.

Detailed control information

Assign and track

You can assign tasks to users, attach relevant documents, set statuses, set test dates, and more.

Assigning tasks, documents, statuses, and test dates

Get the knowledge-base detail

Expand the "more" icon to drill into customer actions for detailed information on what that part of compliance entails and the steps to earn points and gain compliance in 365. You can also add notes that every user who enters the portal can see.

Customer action detail and notes

Read the implementation guides

Clicking the Read More button gives even more detail and links to support articles that walk through detailed implementation.

Read More implementation guidance

Find the supporting articles

Scrolling down further surfaces more links to relevant knowledge-base articles.

Links to supporting KB articles

Where this approach goes next

This is a first iteration. The ideal version is a step-by-step guide that walks through configuring each recommended control, rather than reading through many support articles. For now, use Compliance Manager as a project-management template: walk each step, configure the controls it recommends to raise your score, and split the working and testing across your team. The honest limitation is that a Compliance Manager score is a point-in-time snapshot, and tenant settings rarely stay where you left them.

Frequently asked questions

How many requirements does NIST 800-171 contain?
  1. NIST based 800-171 on 800-53 but removed controls, or parts of controls, that were uniquely federal and not expected of nonfederal organizations. The reduced count does not make compliance easy.
What is the score in Compliance Manager?

It is a fraction. The numerator is the points you have accumulated with controls currently in place; the denominator is the total points available for the assessment. Reviewing your actions shows the tasks that earn the remaining points.

Does Microsoft handle some of the NIST controls for me?

Yes. Compliance Manager separates Microsoft-managed controls, which Microsoft has already audited and which are scored automatically, from customer-managed controls, which you and your team are responsible for implementing in the tenant.

Keep the score from quietly dropping after the audit

A NIST assessment is a snapshot. Settings drift, tenants change, and controls that passed this quarter can fail the next. CloudCapsule re-checks 250+ controls across every tenant in 60 seconds, so the evidence is always current, not six months stale.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading