Are any SAM tools NIST 800-171 certified?

I work for a large US public university which is also an R1 research institution. We recently completed an RFP for a SAM tool and selected a vendor. However, our IT security office performed a review and informed us that the vendor was not NIST 800-171 compliant to their satisfaction. Their review was quite thorough. In their denial, they indicated “we recommend pursuing a product compliant with NIST 800-171 that will not pose a heightened risk to our organization”.

Are you aware of any SAM products that are NIST 800-171 certified or have passed your organization’s security review that includes a review of NIST 800-171 compliance?

I have reviewed marketing material for several SAM products and some claim to be compliant with NIST standards but I cannot find any that state they are “certified” (I think maybe NIST 800-171 relies on self-certification) and they don’t necessarily cite 800-171 compliance. And while some products may ultimately be found that would satisfy our security office for NIST 800-171 compliance, it would take an exhaustive review on each one and require the vendor’s cooperation and we do not have the capacity to do that.

1 Like

Dan,

I don’t know of any off the cuff. However I had to meet similar standards. My guidance here is to document what criteria must be met, then check if the SAM app or supporting systems can meet or exceed. Case in point, I had to meet a few different ISO and NIST standards, boiled down could I encrypt data at rest, data in transit. Could I mask specific fields where PII were handled or processed. Did I have processes for data retention, account reviews, etc. Once I met those I was NIST XYZ and ISO ABC compliant.

Hope that helps

2 Likes

Snow is NIST 800-171 certified

2 Likes

ServiceNow is FedRAMP DoD IL4 certified. NIST800-171 appears to be a subset of the overall controls required for FedRAMP.

2 Likes