NIST SP 800-171 & Insurance Providers

ComplianceForge Support ComplianceForge Support NIST
April 1st, 2021 1 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

NIST SP 800-171 is now applicable to certain insurance providers.

Under the Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA) enters into arrangements with private sector property insurers, also known as Write Your Own (WYO) companies, to sell National Flood Insurance Program (NFIP) flood insurance policies under their own names and adjust and pay claims arising under the Standard Flood Insurance Policy (SFIP).

In the NFIP Notice of FY 2022 Arrangement, it added Article III.L (Cybersecurity) to require WYO companies to implement IT security standards specified by NIST SP 800-171 R2. In lieu of full compliance with this standard, WYO companies may choose to show compliance with other comparable standards, such as ISO/IEC 27001 or to provide FEMA a plan of action that describes how unimplemented security requirements of NIST SP 800-171 R2 will be met and how any planned mitigations will be implemented.

https://www.federalregister.gov/documents/2021/04/...

« Back to Blog

Related Articles

NIST 800-171 R3 In A Nutshell

NIST 800-171 R3 In A Nutshell

1 minute read

June 5th, 2024

Cybersecurity Management Threat

12 minute read

March 16th, 2021

NIST 800-171 Basic Assessment Reporting To SPRS

1 minute read

November 12th, 2020

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.

!