NIST SP 800-171 & Insurance Providers

Apr 01, 2021

NIST SP 800-171 is now applicable to certain insurance providers.

Under the Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA) enters into arrangements with private sector property insurers, also known as Write Your Own (WYO) companies, to sell National Flood Insurance Program (NFIP) flood insurance policies under their own names and adjust and pay claims arising under the Standard Flood Insurance Policy (SFIP).

In the NFIP Notice of FY 2022 Arrangement, it added Article III.L (Cybersecurity) to require WYO companies to implement IT security standards specified by NIST SP 800-171 R2. In lieu of full compliance with this standard, WYO companies may choose to show compliance with other comparable standards, such as ISO/IEC 27001 or to provide FEMA a plan of action that describes how unimplemented security requirements of NIST SP 800-171 R2 will be met and how any planned mitigations will be implemented.