Skip to content

CISA Threat Advisory: NIST 800-171 and Suggested Migration Actions

The estimated read time for this document is 5 minutes and 30 seconds.

The Cybersecurity and Infrastructure Security Agency (CISA) (in collaboration with the FBI, NSA, Australian Cyber Security Centre, Canadian Center for Cybersecurity, National Cyber Security Centre New Zealand, NCSC, NCA, federal partners, and members of the JCDC) has issued the most comprehensive to date Joint Cybersecurity Advisory (CSA) on Russian state sponsored and criminal cyber threats to critical infrastructure. 

The advisory (AA220-110A) combines information previously distributed by the White house, CISA’s “Shields Up,” CSA (AA220-111A), and input from international partners and members of the United States Intelligence Community (IC). The CSA’s intent is to encourage the hardening of cyber defenses for worldwide critical infrastructure to thwart Russian state-sponsored cyber operations and commonly observed tactics, techniques, and procedures (TTPs). 

You can view the full Joint cybersecurity advisory here: CISA Joint CSA  

Many of the mitigation actions recommended by the CSA map directly to NIST 800-171 and CMMC security controls. Further, many mitigation actions can be implemented through a single platform and/or solution (e.g., External Service Provider (ESP)). Microsoft 365 GCC High Platform is an ESP widely utilized by the Defense Industrial Base (DIB) due to the volume of shared responsibilities that can bring their systems up to the NIST 800-171 and CMMC standards. 

Below you will find the high and medium priority mitigation actions included in this advisory, their applicable NIST 800-171 and CMMC security controls, and solution recommendations based on Summit 7’s experience with Microsoft’s Office 365 GCC High Platform.   

No alt text provided for this image
No alt text provided for this image
No alt text provided for this image
No alt text provided for this image

It is important to note that installation of the recommended technologies listed does not fully remediate the actions they are intended to prevent. An organization must have compliance processes in-place that effectively leverage the technologies that mitigate the risks associated with these recommendations. Further, a successful cyber security program will leverage technologies and platforms that provide shared responsibilities between the organization and the solution. This way IT teams can focus on the security of the infrastructure and be better equipped to quickly respond to incidents and remediate issues. After all, the CSA’s intent is to identify the most urgent threats, therefore, empowering organizations to respond effectively. 

To satisfy requirements for NIST 800-171 Control 3.14.1, Identify, report, and correct system flaws in a timely manner. Organizations must identify flaws and vulnerabilities from multiple sources such as threat intelligence reports and analysis, risk assessments, and vulnerability scanning. Once identified, the organization must correct the flaws in a timely manner.

To learn more about NIST 800-171 / CMMC 2.0 visit us at

Leave a Comment