Who is NIST 800-171 For?

NIST 800-171 is intended for nonfederal organizations, such as contractors, subcontractors, and other entities, that handle, process, or store CUI on behalf of the federal government. This includes:

• Federal contractors and subcontractors.
• Research institutions and universities engaged in federal research.
• Any organization that deals with federal data requiring protection under CUI guidelines.

Controlled Unclassified Information

Controlled Unclassified Information (CUI) refers to information that requires safeguarding or dissemination controls pursuant to federal law, regulations, or government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Examples of CUI include:

• Personally Identifiable Information (PII)
• Financial data
• Intellectual property
• Contract details and specifications

The protection of CUI is critical to national security and the competitive position of the United States, and NIST 800-171 provides a framework for nonfederal organizations to safeguard this information.

NIST 800-171 Compliance

Compliance with NIST 800-171 involves implementing its security requirements to protect CUI. Unlike some standards, NIST 800-171 does not offer a formal certification. Instead, organizations must self-assess and attest to their compliance.

Key steps for compliance include:

• Conducting a gap analysis to compare current security practices against NIST 800-171 requirements.
• Developing a System Security Plan (SSP) to describe how each requirement is met.
• Creating a Plan of Action and Milestones (POA&M) to address any gaps or deficiencies.
• Continuously monitoring and updating security practices to maintain compliance.

Organizations may also undergo third-party assessments to validate their compliance efforts, especially when required by contracts or regulations.

NIST 800-171 Control Families

NIST 800-171 organizes its security requirements into 14 control families. Each family addresses specific areas of security and provides guidelines for implementing necessary protections:

Access Control (AC)

• Limit information system access to authorized users and devices.
• Control the flow of CUI within the information system.

Awareness and Training (AT)

• Ensure that managers and users are aware of the security risks associated with their activities.
• Provide training to recognize and respond to security threats.

Audit and Accountability (AU)

• Create, protect, and retain information system audit records.
• Ensure that actions affecting CUI can be traced to responsible individuals.

Configuration Management (CM)

• Establish and maintain baseline configurations and inventories of organizational systems.
• Implement security configuration settings.

Identification and Authentication (IA)

• Identify information system users, processes, and devices.
• Authenticate identities before allowing access to the system.

Incident Response (IR)

• Establish an operational incident-handling capability for detecting, reporting, and responding to security incidents.

Maintenance (MA)

• Perform maintenance on organizational systems and protect maintenance tools and systems.

Media Protection (MP)

• Protect information system media containing CUI.
• Limit access to CUI on media to authorized users.

Personnel Security (PS)

• Screen individuals prior to authorizing access to information systems containing CUI.
• Ensure that CUI is protected during and after personnel actions such as terminations and transfers.

Physical Protection (PE)

• Limit physical access to information systems and facilities.

Risk Assessment (RA)

Periodically assess the risk to organizational operations and assets.

Security Assessment (CA)

• Periodically assess the security controls in organizational systems to determine their effectiveness.

System and Communications Protection (SC)

• Monitor, control, and protect communications at external boundaries and key internal boundaries of the information system.

System and Information Integrity (SI)

• Identify, report, and correct information system flaws.
• Protect information systems from malicious code.