NIST Special Publication 800-171

NIST Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” provides guidelines for protecting sensitive federal information stored in nonfederal systems. Developed by the National Institute of Standards and Technology (NIST), this publication is designed to ensure that Controlled Unclassified Information (CUI) is adequately protected when processed, stored, or transmitted by nonfederal organizations.

Who is NIST 800-171 For?

NIST 800-171 is intended for nonfederal organizations, such as contractors, subcontractors, and other entities, that handle, process, or store CUI on behalf of the federal government. This includes:

  • Federal contractors and subcontractors.
  • Research institutions and universities engaged in federal research.
  • Any organization that deals with federal data requiring protection under CUI guidelines.

 

Controlled Unclassified Information

Controlled Unclassified Information (CUI) refers to information that requires safeguarding or dissemination controls pursuant to federal law, regulations, or government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Examples of CUI include:

  • Personally Identifiable Information (PII)
  • Financial data
  • Intellectual property
  • Contract details and specifications

The protection of CUI is critical to national security and the competitive position of the United States, and NIST 800-171 provides a framework for nonfederal organizations to safeguard this information.

 

NIST 800-171 Compliance

Compliance with NIST 800-171 involves implementing its security requirements to protect CUI. Unlike some standards, NIST 800-171 does not offer a formal certification. Instead, organizations must self-assess and attest to their compliance.

Key steps for compliance include:

  • Conducting a gap analysis to compare current security practices against NIST 800-171 requirements.
  • Developing a System Security Plan (SSP) to describe how each requirement is met.
  • Creating a Plan of Action and Milestones (POA&M) to address any gaps or deficiencies.
  • Continuously monitoring and updating security practices to maintain compliance.

Organizations may also undergo third-party assessments to validate their compliance efforts, especially when required by contracts or regulations.

 

NIST 800-171 Control Families

NIST 800-171 organizes its security requirements into 14 control families. Each family addresses specific areas of security and provides guidelines for implementing necessary protections:

Access Control (AC)

  • Limit information system access to authorized users and devices.
  • Control the flow of CUI within the information system.

Awareness and Training (AT)

  • Ensure that managers and users are aware of the security risks associated with their activities.
  • Provide training to recognize and respond to security threats.

Audit and Accountability (AU)

  • Create, protect, and retain information system audit records.
  • Ensure that actions affecting CUI can be traced to responsible individuals.

Configuration Management (CM)

  • Establish and maintain baseline configurations and inventories of organizational systems.
  • Implement security configuration settings.

Identification and Authentication (IA)

  • Identify information system users, processes, and devices.
  • Authenticate identities before allowing access to the system.

Incident Response (IR)

  • Establish an operational incident-handling capability for detecting, reporting, and responding to security incidents.

Maintenance (MA)

  • Perform maintenance on organizational systems and protect maintenance tools and systems.

Media Protection (MP)

  • Protect information system media containing CUI.
  • Limit access to CUI on media to authorized users.

Personnel Security (PS)

  • Screen individuals prior to authorizing access to information systems containing CUI.
  • Ensure that CUI is protected during and after personnel actions such as terminations and transfers.

Physical Protection (PE)

  • Limit physical access to information systems and facilities.

Risk Assessment (RA)

Periodically assess the risk to organizational operations and assets.

Security Assessment (CA)

  • Periodically assess the security controls in organizational systems to determine their effectiveness.

System and Communications Protection (SC)

  • Monitor, control, and protect communications at external boundaries and key internal boundaries of the information system.

System and Information Integrity (SI)

  • Identify, report, and correct information system flaws.
  • Protect information systems from malicious code.

Our Services

vCISO and Fractional Security Analysts

vCISO and Fractional Security Analysts

Enhance security leadership and strategy with experienced professionals through one-time projects or continued engagements.
Gap and Risk Assessments

Gap and Risk Assessments

Identify vulnerabilities and gaps in your security posture with our comprehensive assessments designed to not disrupt your operations.

Framework Deployment Programs

Framework Deployment Programs

Establish security frameworks through a comprehensive year-long assessment and training program, either individually or with a cohort of your peers.

GRC Platform

Apptega GRC Platform

Make the most of Apptega’s powerful Governance, Risk, and Compliance (GRC) tool to effectively manage and maintain your security program utilizing its user-friendly interface.

Implementation Support

Implementation Support

Certified assistance in planning and implementing best practices and solutions to mature your security posture.

Meet the Team

Art Provost

Art Provost

Art, with 30 years of experience in Information Security across diverse roles, joined Filament in 2011 and holds multiple certifications, including CISSP, GSEC, GPEN, GWAPT, and CISM.

Tyler Malcom

Tyler Malcom

Tyler, who joined Filament in 2022, has a strong background in cyber defense and offensive operations from his time in the US Navy and holds CISSP and GSEC certifications.

Keri Kunkle

Keri Kunkle

Keri, who joined Filament in 2023, is a seasoned cybersecurity professional with experience in the US Marine Corps and Department of Defense, holding multiple certifications and advanced degrees in cybersecurity.

Expert Help is On the Way

Schedule a Free Discovery Call

Explore your organization’s future with a quick conversation with Filament Information Security services.

Contact us today to learn more about how we can help you achieve your security goals.