Hi all, I debated putting this in the Network-Wide but figured this might be a better place.
I was just hoping to find out if anyone here falls under NIST 800-171 compliance and are achieving this using the Meraki full stack?
If so, are you having to incorporate any other vendor products to meet specific network requirements?
I've only started diving into this, so take it easy on me 😉
I have nothing to do with 800-171.
Note that only meta-data goes to the Meraki cloud, not actual customer data (or in your case "controlled" data"). You might have to be careful around AMP - but it could only possibly submit something that was sent over an unsecured channel - would hopefully no one wanting 800-171 would be doing.
When I have worked with Government bodies, once I explain the different between meta data and their actual user data they seem to be ok.
You can also look at the general "trust" page:
At this point, I don't think I'm quite as worried about the "cloud-controller" meeting the compliance requirements. Most of the controls around that can be put into place easily enough.
I don't know, however, if the Meraki VPN (both client and site-to-site) holds up to the standards required. FIPS 140-2 Validated encryption, I believe. Hoping to hear some more input around that.
Sorry @SunshineJulie but I really haven't. I went through an assessment as best as I could at the time. We've tabled this for the time being as we're not currently under this requirement.
Did you happen to find any further details on this? I know that you can't find any Meraki gear listed here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search
My inquiry to Cisco didn't yield a good response either as I think they didn't really understand the question. I've read rumors that this is in the works and supposed to be completed in May but I think "rumor" is the key word there.
Hi @Propho, unfortunately I didn't find any further details at the time.
I see this thread is a couple of years old. I am hoping there has been an update to the Meraki Line of products and NIST. Has anyone found out anymore regarding if Meraki MX and Full stack are NIST 800-171 Complaint?
I don't know anything about NIST 800-171, but reading about it, this seems to be the key points required:
It doesn't seem like there is anything Meraki can do to be "compliant". It seems like these are things you need to do.
@PhilipDAth I get what you're saying however there are requirements for those working on DoD contracts. More specifically, I am trying to determine or get Meraki to provide a document that may speak to FAR 52.204-25 (Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment) and GSAR 552.204-70. Thx for the comments...great argument. Any additional contribution would be helpful Community!