What is NIST SP 800-171?
Published by the National Institute of Standards and Technology (NIST), NIST SP 800-171 is a standard created to help organizations protect Controlled Unclassified Information (CUI) from unauthorized access or disclosure.
With the advent of the new Cybersecurity Maturity Model Certification (CMMC) program, adherence to the NIST SP 800-171 controls has become mandatory for contractors who do work or wish to work with the Department of Defense (DoD) and civilian agencies who may require adherence to the standard.
Because failure to comply with NIST SP 800-171 can result in significant fines and loss of contracts, we—as one of the first authorized CMMC Third Party Assessment Organizations (C3PAOs), want to help you avoid this kind of fallout.
In this comprehensive guide, we’ll explore everything you need to know about NIST SP 800-171 compliance, including what it is, why it's important, and how to achieve it. We'll also dive into the specific controls and requirements outlined in NIST SP 800-171 and provide tips and best practices for meeting them.
Whether you're new to NIST SP 800-171 or looking to improve your compliance efforts, this guide has everything you need to protect your sensitive data and meet government requirements.
What is NIST SP 800-171?
To help organizations protect sensitive information that is not classified but still needs to be kept secure—particularly when being shared between non-federal organizations and federal agencies—NIST published its Special Publication (SP) 800-171.
Said “sensitive information” is actually categorized as Controlled Unclassified Information (CUI)—things like:
- Intelligence
- Financial data
- Legal records
What is CUI?
By definition, CUI is any non-public executive agency information, and here’s how you might determine if the data in your charge classifies as such. CUI is:
- Prominently identified with specific markings:
- “CUI” will appear in document headers and footers.
-
- Not only that, but a CUI designation indicator will be included that specifies the organization that controls the information, any specific CUI designation that the information may fall into, dissemination specifications, and a point of contact for the information.
- Includes any data whose public release (or unauthorized disclosure) would negatively impact the agency of origin, including if aggregated with additional information.
To help paint an even clearer picture, organizations likely to handle CUI and that may need to adhere to NIST SP 800-171 standards include:
- Defense contractors
- Systems integration service providers
- Financial, web, or communication service providers to the federal government
- Healthcare information processors
- Colleges, universities, or institutes that receive federal data or grants
NIST SP 800-171 Requirements
Note: The following dissemination is for NIST 800-171, revision 2. Updates will soon be posted regarding the draft of NIST 800-171, revision 3.
Whether your organization classifies as one of those or not, if you handle CUI—likely as part of your relationship with the government—no matter whether you’re a prime contractor or a subcontractor, you must comply with NIST SP 800-171’s 110 requirements, which are helpfully organized into 14 general security topics (or families) that break down as follows:
Family |
Details |
1. Access Control |
22 requirements To safeguard access to networks, systems, and information. |
2. Awareness and Training |
3 requirements To ensure relevant personnel are aware of and trained on cybersecurity risks and procedures. |
3. Audit and Accountability |
9 requirements To protect the storage of audit records for future analysis and reporting, including regular reviews of system security logs. |
4. Configuration Management |
9 requirements To confirm adequate installation and configuration of hardware, software, and devices within the relevant network. |
5. Identification and Authentication |
11 requirements To distinguish privileged and non-privileged accounts and ensure authentication procedures and policies are in place so that only authenticated users can access the network or systems. |
6. Incident Response |
3 requirements To verify there are response procedures in place in the event of a serious cybersecurity incident. |
7. Maintenance |
6 requirements To ensure relevant systems receive maintenance that is protected and based on best practices. |
8. Media Protection |
9 requirements To help control access to sensitive media that is in both physical and digital formats. |
9. Personnel Security |
2 requirements To safeguard CUI through security screenings of individuals before their accessing systems that contain CUI and adequate employee transfer/termination procedures where CUI is relevant. |
10. Physical Protection |
6 requirements To control physical access to CUI, including on work sites, hardware, devices, and equipment that are required to be limited to authorized personnel. |
11. Risk Assessment |
3 requirements To ensure the regular performance of risk assessments that reveal vulnerabilities. |
12. Security Assessment |
4 requirements To validate that security plans are continuously monitored and further developed so that systems are regularly improved and remain effective. |
13. System and Communications Protection |
16 requirements To protect systems and the transmission of information through cryptography policies to protect CUI, among other measures. |
14. System and Information Integrity |
7 requirements To monitor the ongoing protection of systems using security alerts that aid in preventing unauthorized use of systems. |
(All these requirements map back loosely to NIST SP 800-53 controls and control enhancements, and while those are much more prescriptive than these NIST SP 800-171 security requirements, they can help provide a better understanding of what controls will meet 800-171 requirements.)
Using this framework, you can ensure the CUI you handle is kept confidential, accurate, and available when needed, no matter where it’s stored or how it’s transmitted, as the guidelines are designed to be flexible and adaptable for organizations of all sizes and types.
How to Achieve NIST SP 800-171 Compliance
That being said, to achieve compliance with NIST SP 800-171, you must follow a specific process that includes the following steps:
- Define your scope. Determining what CUI you store, process, and transmit in your organization—as well as the systems that CUI data touches—is imperative.
- Understand the requirements. A baseline understanding of the requirements outlined in NIST SP 800-171 will be your key foundation for compliance, and yours should include a grasp of what CUI is and how it needs to be protected, as well as the specific controls and requirements outlined in the guidelines.
- Conduct a gap analysis. Then, conduct a gap analysis to identify areas where you’re not currently meeting the requirements, as that will help you develop a plan for achieving full compliance.
- Develop a plan of action and milestones (POA&M). Based on the results of the gap analysis, develop a POA&M that outlines the steps you’ll take to achieve compliance, which should include specific tasks, timelines, and responsible parties.
- Implement security controls. At this point, begin implementing the security controls outlined in NIST SP 800-171, and that may involve upgrading software, improving access controls, or implementing encryption, among other things.
- Conduct regular self-assessments. To ensure ongoing compliance, conduct regular self-assessments to identify any new gaps or vulnerabilities.
- Monitor and report. Finally, monitor your systems and report any incidents or breaches to the appropriate authorities. They should also maintain documentation of their compliance efforts, including the POA&M and self-assessment reports.
By following these steps, you can achieve compliance with NIST SP 800-171 and protect your sensitive data from potential cyber threats.
Consequences of Non-Compliance with NIST SP 800-171
On the other hand, failure to comply with these guidelines—and a consequential breach or leak—can result in the revocation of contracts or the inability to bid on future contracts with the DoD, as well as fines and other legal penalties.
In some cases, you may also face reputational damage and additional loss of customer trust if you’re found to be non-compliant with NIST 800-171, making it essential to take steps to ensure that you’re fully compliant with these guidelines—you may even consider getting assessed by an independent third party to confirm everything is in place.
NIST SP 800-171 and FedRAMP
And while it is possible to be assessed against the 800-171 framework itself, the publication does tie into other, more prominent government compliance initiatives, including FedRAMP.
As noted above, the NIST SP 800-171 requirements are a subset (about 35%) of the overall NIST SP 800-53 controls that are required for FedRAMP—a program that any cloud service provider (CSP) seeking to provide services to government agencies must achieve compliance with to obtain FedRAMP Authority to Operate.
Still, the specific relationship between NIST SP 800-171 and FedRAMP really depends on what your cloud system is, how your system works, and to which agency you’re providing what services:
- If your cloud service is an IaaS, PaaS, or SaaS and you’re doing business with the federal government, you need to be FedRAMP Authorized regardless of the classification of data your systems/service facilitates.
- If you—not the government—operate the system that contains/uses CUI for the federal government, you’re subject to NIST SP 800-171 requirements.
- If you’re a contractor with the DoD and handling specific data types, you’re required to comply with these requirements as mandated in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
NIST SP 800-171 and CMMC
Even given all that, NIST SP 800-171 has recently risen to further prominence because of its relevance to the new Cybersecurity Maturity Model Certification (CMMC), which has been developed to protect the particularly sensitive information—aka CUI—within the United States Defense Industrial Base (DIB).
Though it’ll make for a new compliance requirement when it goes live, the basis for CMMC is not “brand new.” This certification pulls from many existing sources—explicitly NIST SP 800-171—to create a centralized and comprehensive framework for defense contractors.
Before CMMC, compliance with NIST SP 800-171 allowed for a simple self-assessment to suffice—you could develop the required System Security Plan, but deficiencies in requirements met were allowed so long as you had a plan of action to remedy that.
That might’ve been enough to claim compliance with the publication, but CMMC is different and that might no longer be enough. Depending on which of the different levels of compliance you choose to certify against, you may also need to be evaluated by a certified third-party assessment organization (C3PAO).
Frequently Asked Questions About NIST SP 800-171
Who Needs to Comply with NIST SP 800-171?
Any organization that works with federal agencies, including DoD contractors, needs to comply with NIST SP 800-171 if they handle CUI.
How Does NIST SP 800-171 Relate to Other Cybersecurity Frameworks?
NIST SP 800-171 is designed to complement other cybersecurity frameworks, such as the NIST Cybersecurity Framework and ISO 27001, in that it provides specific guidance for specifically protecting CUI.
What is the Role of Third-Party Assessors in NIST SP 800-171 Compliance?
Third-party assessors can help organizations evaluate their compliance with NIST SP 800-171 and provide recommendations for improving their security controls.
How Often Do Organizations Need To Assess Their Compliance with NIST SP 800-171?
You should assess compliance with NIST SP 800-171 regularly, such as on an annual cadence, but also whenever significant changes are made to your IT systems.
Is Your Organization Compliant?
NIST SP 800-171 was born to help better secure the range of external service providers governmental departments rely on to operate, as many of these essential services result in the processing and storage of the sensitive information that is CUI.
And though it may still not be NIST’s most well-known publication, the importance of SP 800-171 and its requirements is growing, thanks to the upcoming codification of CMMC that many organizations continue to prepare for.
Now that you understand its areas of concern—including the type of data and requirement families, you’re in good shape should you need to get started with compliance and in better protecting your data from potential cyber threats.
However, if you still have some questions about this publication—or any of the other prominent ones from NIST—please reach out to us. Our team of experts is well-versed in the many, many details involved in government compliance and would love to help you ease any concerns you may have.
About STEPHEN HALBROOK
Stephen Halbrook is a Managing Principal at Schellman. He is an experienced and proven federal practice leader performing service delivery management across service lines including FedRAMP, NIST, SOC, PCI DSS and ISO. Stephen also helps assist large and complex organizations that have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies. He has more than 15 years of experience in the assessment industry and started his career working in Deloitte’s Advisory practice.