The Ultimate Guide to
NIST SP 800-171
What is the NIST SP 800-171?
The NIST SP 800-171 is shorthand for the National Institute of Standards and Technology Special Publication 800-171, Security and Privacy Controls for Federal Information Systems and Organization. NIST SP 800-171 provides recommended security requirements for protecting the confidentiality of controlled unclassified information (CUI) governed by the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS).
What is the purpose of NIST SP 800-171?
Created by computer security and privacy experts at the National Institute of Standards and Technology (NIST), NIST Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations contains recommended security requirements for protecting the confidentiality of CUI when the information resides in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry.
What are the requirements for NIST SP 800-171?
CUI, or controlled unclassified information, is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s also not corporate intellectual property unless created for or included in requirements related to a government contract.
Up until 2010, CUI wasn’t even CUI—it appeared under an assortment of names mentioned previously, like “for official use only” and “sensitive but unclassified.” More troubling was that no standardized guidelines existed for assessing CUI—one company could label information extremely sensitive while another could treat it as less sensitive. Related: Guide to NIST 800-53
What classifies as “CUI” under NIST SP 800-171 Guidelines?
CUI, or controlled unclassified information, is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s also not corporate intellectual property unless created for or included in requirements related to a government contract.
Up until 2010, CUI wasn’t even CUI—it appeared under an assortment of names mentioned previously, like “for official use only” and “sensitive but unclassified.” More troubling was that no standardized guidelines existed for assessing CUI—one company could label information extremely sensitive while another could treat it as less sensitive.
In November of 2010, the Obama Administration passed Executive Order 13556, which created ten categories for non-classified information needing control and protection due to potential vulnerability and security risk. The goal was to create a uniform system for safeguarding and disseminating CUI. The Final Rule was passed in 2016 by the National Archives Records Administration to provide implementation direction for Executive Order 13556 and to support a standardized methodology for assessing CUI.
Two subsets of CUI exist—basic and specified. The Final Rule identifies the handling and dissemination of controls for Basic CUI as moderate under the Federal Info Systems Modernization Act (FISMA) with info marked “CUI” or “controlled”. Specified CUI requires more restrictive controls for handling, and a designating agency must apply specific dissemination controls for each information category. Examples of agency subset categories for CUI include agriculture, legal, transportation, financial, tax, and immigration.
Who Needs to Comply With NIST SP 800-171?
If you’re a contractor for a federal agency and your organization is processing CUI, you may be contractually obligated by the agency to implement the requirements recommended in SP 800-171. To be clear, these security requirements would apply to the components of your environment that process, store, or transmit CUI or that provide security protection for such components.
Here’s the exact language from NIST SP 800-171 rev 2: “The recommended security requirements contained in this publication are only applicable to a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreements. The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.”
If you’re seeking to secure a contract with a federal agency, during the evaluation process the agency is likely to ask you to submit a system security plan, a comprehensive document that describes in detail how security requirements in NIST SP 800-171 are met within your organization and how you plan to address known and anticipated threats. Federal agencies consider the submitted system security plans and associated plans of actions as critical inputs in their decision on whether it would be advisable to enter an agreement with the nonfederal organization.
Can NIST SP 800-171 Improve My Security System?
Even if you’re not contractually obligated to implement the security requirements recommended in NIST SP 800-171, you will still benefit from adapting these guidelines because they give you a solid foundation and methodology to create operating procedures and security controls across the board within your organization. They can also help you get a head start if you need to achieve additional certifications such as ISO27001.
How do I become NIST 800 171 compliant?
To become fully compliant with NIST SP 800-171 your organization will need to do the following:
Locate and identify the systems and solutions in your network that store or transfer CUI. These are the systems you’ll need to protect.
Implement controls — policies, procedures, processes, and technical solutions — to protect CUI.
Train your employees on how to use and transfer CUI in a way that is consistent with the requirements set out in NIST SP 800-171.
Periodically assess the controls in organizational systems to see if the controls are effective in their application. This assessment should be done on a regular basis to ensure that current processes will continue to protect CUI.
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems are identified, and remediate those vulnerabilities.
But you’re not done just quite yet, as working with federal agencies comes with additional compliance and reporting obligations. In order to get a federal agency to view your organization as “NIST SP 800-171 compliant”, your system security plan will need to include documentation of how the security requirements are met or how you plan to meet the requirements and address known and anticipated threats. A system security plan describes:
The system boundary
The operational environment
How security requirements are implemented
The relationships with or connections to other systems
You’ll also need to develop plans of action that describe how unimplemented security requirements will be met. You can document the system security plan and the plan of action as separate documents or in one document.
When requested, your system security plan and associated plans of action for any planned implementations or mitigations need to be submitted to the responsible federal agency/contracting office. Federal agencies may consider the submitted system security plans and plans of action as critical input to a risk management decision of whether to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.
What are NIST 800 171 Controls?
There are 14 families of recommended security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. Each organization can implement a variety of potential security solutions, either directly or using managed services, to satisfy the security requirements. Organizations can also implement alternative but equally effective security measures to satisfy a requirement.
The control families are the following:
Each control family then contains several specific requirements — each with an explanation (referred to as “discussion” in the publication).
How does NIST SP 800-171 Map to ISO 27001 and NIST SP 800-53?
You may not need to implement NIST SP 800-171 requirements from scratch. If you’ve already implemented NIST SP 800-53 or ISO/IEC 27001, you can leverage some of your existing security controls to meet 800-171 requirements.
In Appendix D of publication 800-171 , there is a mapping of security requirements to security controls in SP 800-53. The publication also contains a mapping table of the security controls relevant to ISO 2701. However, know that not all ISO/IEC controls would fully satisfy the intent of the NIST controls. As stated in the publication, “Due to the tailoring actions carried out to develop the security requirements, satisfaction of a basic or derived requirement does not imply the corresponding NIST security control or control enhancement in [SP 800-53] has also been satisfied, since certain elements of the control or control enhancement that are not essential to protecting the confidentiality of CUI are not reflected in those requirements.”
Organizations that have already implemented, or plan to implement, the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) can use the mapping of the security requirements to the security controls in SP 800-53 and ISO 27001 to locate the equivalent controls in the Categories and Subcategories associated with the core Functions of the Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover.
If I comply with CMMC, will I be compliant with NIST SP 800-171?
The Cybersecurity Maturity Model Certification (CMMC) is a relatively new cybersecurity standard created to ensure that non-federal organizations that contract with the Department of Defense have the appropriate cybersecurity practices and processes in place to protect CUI and Federal Contract Information (FCI) that resides within the organization’s environment. Anyone who conducts (or wants to conduct) business with the DOD will need to obtain the CMMC certification at the level that’s appropriate for the sensitivity level of the data being handled. There are five levels in Version 1.0 of CMMC, and each has a specific set of controls that will be in scope for a CMMC audit.
There is no current guidance on what 3rd Party Assessment Organizations (3PAO) will use for the CMMC assessment. The current assumption by many is that NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information will serve as the basis for the criteria used by 3PAOs when evaluating against a CMMC requirement that is directly mapped to a NIST 800-171 rev2 control.
Although some CMMC requirements are directly mapped to an NIST 800-171 control, passing a CMMC audit does not necessarily mean you are compliant with NIST SP 800-171.
NIST SP 800-171 rev2 contains 110 CUI controls and 63 Non-Federal Organization (NFO) controls. Meanwhile, CMMC only focuses on CUI controls. To be considered compliant with NIST 800-171, you need to implement both the CUI and NFO controls.
ComplianceForge, an organization that has analyzed a variety of cybersecurity frameworks, including those from NIST, have warned organizations about the dangers of assuming automatic compliance. In a recent article they put out on this topic, they explained: “Having a CMMC Level 1, 2, 3, 4 or 5 certification does not mean you are actually compliant with NIST 800-171 and that can run your organization afoul through a violation of the False Claims Act (FCA), since you are required to comply with NIST 800-171. CMMC is merely a 3rd party validation check to see if a basic level of compliance is being done as part of the contracting process.”
NIST SP 800-171: Frequently Asked Questions
Hyperproof for NIST SP 800-171 Compliance
Organizations can reach significant benefits when they align their security and compliance program with a well recognized framework NIST 800-171, but the comprehensive nature of the guidelines create adoption challenges. Hyperproof’s compliance operations solution makes it much easier for organizations to align their security program to NIST 800-171, along with other industry-leading cybersecurity frameworks. Sign up for a personalized demo to see how it works.
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get NIST SP 800-171 ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.