Shield with NIST SP 800-171
The Ultimate Guide to

NIST SP 800-171

What is the NIST SP 800-171?   

NIST SP 800-171 is shorthand for the National Institute of Standards and Technology Special Publication 800-171, Security and Privacy Controls for Federal Information Systems and Organization. The SP 800-171 framework provides recommended security requirements for protecting the confidentiality of controlled unclassified information (CUI) governed by the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS).

What is the purpose of NIST SP 800-171?

Created by computer security and privacy experts at the National Institute of Standards and Technology (NIST), NIST Special Publication 800-171, Revision 3Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations contains recommended security requirements for protecting the confidentiality of CUI when the information resides in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry.

What are the requirements for NIST SP 800-171?

CUI, or controlled unclassified information, is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s also not corporate intellectual property unless created for or included in requirements related to a government contract.

Up until 2010, CUI wasn’t even CUI — it appeared under an assortment of names mentioned previously, like “for official use only” and “sensitive but unclassified.” More troubling was that no standardized guidelines existed for assessing CUI — one company could label information extremely sensitive while another could treat it as less sensitive.

For related content, check out our Guide to NIST 800-53.

What classifies as “CUI” under NIST SP 800-171 Guidelines?

In November of 2010, the Obama Administration passed Executive Order 13556, which created ten categories for non-classified information needing control and protection due to potential vulnerability and security risk. The goal was to create a uniform system for safeguarding and disseminating CUI. The Final Rule was passed in 2016 by the National Archives Records Administration to provide implementation direction for Executive Order 13556 and to support a standardized methodology for assessing CUI. 

Two subsets of CUI exist: basic and specified. The Final Rule identifies the handling and dissemination of controls for Basic CUI as moderate under the Federal Info Systems Modernization Act (FISMA) with info marked “CUI” or “controlled.” Specified CUI requires more restrictive controls for handling, and a designating agency must apply specific dissemination controls for each information category. Examples of agency subset categories for CUI include agriculture, legal, transportation, financial, tax, and immigration.

Who needs to comply with NIST SP 800-171?

If you’re a contractor for a federal agency and your organization is processing CUI, you may be contractually obligated by the agency to implement the requirements recommended in SP 800-171. To be clear, these security requirements would apply to the components of your environment that process, store, or transmit CUI or that provide security protection for such components.

If you’re seeking to secure a contract with a federal agency, during the evaluation process the agency is likely to ask you to submit a system security plan (SSP), a comprehensive document that describes in detail how security requirements in SP 800-171 are met within your organization and how you plan to address known and anticipated threats. Federal agencies consider the submitted system security plans and associated plans of actions as critical inputs in their decision on whether it would be advisable to enter an agreement with the nonfederal organization.

Can NIST SP 800-171 improve my security system?

Even if you’re not contractually obligated to implement the security requirements recommended in SP 800-171, you will still benefit from adapting these guidelines because they give you a solid foundation and methodology to create operating procedures and security controls across the board within your organization. They can also help you get a head start if you need to achieve additional certifications such as ISO 27001.

Demo

See how Hyperproof can help you get a head start on NIST SP 800-171

Book a Demo

How do I become NIST SP 800-171 compliant?

To become fully compliant with SP 800-171 your organization will need to do the following:

Locate and identify the systems and solutions in your network that store or transfer CUI. These are the systems you’ll need to protect.

Implement controls — policies, procedures, processes, and technical solutions — to protect CUI.

Train your employees on how to use and transfer CUI in a way that is consistent with the requirements set out in special publication 800-171.

Periodically assess the controls in organizational systems to see if the controls are effective in their application. This assessment should be done on a regular basis to ensure that current processes will continue to protect CUI.

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems are identified, remediate those vulnerabilities.

But you’re not done just yet, as working with federal agencies comes with additional compliance and reporting obligations. In order to get a federal agency to view your organization as “NIST SP 800-171 compliant,” your system security plan will need to include documentation of how the security requirements are met or how you plan to meet the requirements and address known and anticipated threats.

A system security plan describes:

The system boundary
The operational environment
How security requirements are implemented
The relationships with or connections to other systems

You’ll also need to develop plans of action that describe how unimplemented security requirements will be met. You can document the system security plan and the plan of action as separate documents or in one document.

When requested, your system security plan and associated plans of action for any planned implementations or mitigations need to be submitted to the responsible federal agency/contracting office. Federal agencies may consider the submitted system security plans and plans of action as critical input to a risk management decision of whether to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.

What are the NIST SP 800-171 controls?

There are 17 families of recommended security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. Each organization can implement a variety of potential security solutions, either directly or using managed services, to satisfy the security requirements. Organizations can also implement alternative but equally effective security measures to satisfy a requirement.

The control families are as follows:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment and Monitoring
  • System and Communications Protection
  • System and Information Integrity
  • Planning
  • System and Services Acquisition
  • Supply Chain Risk Management

Each control family then contains several specific requirements — each with an explanation (referred to as “discussion” in the publication).

Access control with basic security requirements
Source: NIST SP 800-171 Rev2

How does NIST SP 800-171 map to NIST SP 800-53?

You may not need to implement NIST SP 800-171 requirements from scratch. If you’ve already implemented NIST SP 800-53, you can leverage some of your existing security controls to meet these requirements.

Organizations that have already implemented, or plan to implement, the NIST Cybersecurity Framework (NIST CSF) can use the mapping of the security requirements to the security controls in SP 800-53 to locate the equivalent controls in the Categories and Subcategories associated with the core Functions of the Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.

If I comply with CMMC, will I be compliant with NIST SP 800-171?

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity standard created to ensure that non-federal organizations that contract with the Department of Defense have the appropriate cybersecurity practices and processes in place to protect CUI and Federal Contract Information (FCI) that resides within the organization’s environment.

Anyone who conducts (or wants to conduct) business with the DOD will need to obtain the CMMC certification at the level that’s appropriate for the sensitivity level of the data being handled. There are three levels in Version 2.0 of CMMC, and each has a specific set of controls that will be in scope for a CMMC audit.

When assessing CMMC, 3rd Party Assessment Organizations (3PAOs) will use the CMMC Assessment Process (CAP). For each of the three levels, the documentation varies. Be sure to check the official website for up-to-date documentation regarding CMMC.

Although CMMC is based on 800-171 rev 2 and requirements may map directly to an 800-171 control, passing a CMMC audit does not necessarily mean you are compliant with SP 800-171.

NIST SP 800-171: Frequently Asked Questions

NIST SP 800-171 revision 2 (rev 2) and revision 3 (rev 3) primarily differ in their enhancements and clarifications to existing controls. Rev 3 was released to provide more precise guidance, incorporate feedback from rev 2, address ambiguities, and align with evolving cybersecurity standards. The core controls have been truncated, resulting in fewer controls but additional control families. Rev 3 also refines the language to improve implementation and understanding, one example being the elimination of the term “periodically” to alleviate confusion.

Rev 3 was released in May 2024. This version aims to provide clearer guidance and more detailed expectations to help organizations better understand and implement the required security controls.

Organizations implement NIST SP 800-171 by following these steps:

  1. Assessment: Conduct a thorough assessment to identify Controlled Unclassified Information (CUI) and determine the current state of security controls.
  2. Gap analysis: Compare existing security controls with SP 800-171 requirements to identify gaps.
  3. Plan of action: Develop a plan of action to address identified gaps, including prioritizing tasks, setting timelines, and allocating resources.
  4. Implementation: Apply necessary controls and improvements, including technical, administrative, and physical security controls.
  5. Training: Educate employees on new security policies and procedures to ensure compliance.
  6. Monitoring and continuous improvement: Regularly monitor the effectiveness of implemented controls and make adjustments as needed to adapt to new threats and vulnerabilities.

NIST SP 800-171 applies to any non-federal organization that processes, stores, or transmits controlled unclassified information (CUI) on behalf of the U.S. federal government. This includes contractors, subcontractors, and other partners that work with federal agencies.

Yes, compliance with NIST SP 800-171 is required for non-federal organizations that handle CUI. This requirement is often stipulated in contracts and agreements with federal agencies. Failure to comply can result in penalties, including loss of contracts and potential legal action. However, it is important to note that while compliance with SP 800-171 is required by the Department of Defense (DoD) for contractors under the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, other federal agencies may require it as well.

ISO 27001 is an international standard for information security management systems (ISMS), focusing on a risk-based approach to managing information security. It provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an ISMS.

NIST SP 800-171, on the other hand, is a U.S.-specific standard that provides guidelines for protecting controlled unclassified information (CUI) in non-federal systems and organizations. While both standards aim to enhance information security, ISO 27001 is broader and internationally recognized, whereas SP 800-171 is specifically tailored to meet U.S. federal requirements for CUI protection.

No, SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC) are not the same, although they are related. SP 800-171 provides a set of security controls specifically for protecting CUI. CMMC builds on SP 800-171 by introducing a maturity model with five levels, incorporating additional practices and processes. CMMC is designed to ensure that contractors not only have the required controls in place but also demonstrate consistent implementation and maturity in their cybersecurity practices.

NIST SP 800-171 contains 97 security controls organized into 17 families. These controls cover various aspects of information security, such as access control, incident response, and system and communications protection.

Read more about NIST SP 800-171 controls

Yes, NIST SP 800-171 requires multi-factor authentication (MFA) as part of its access control requirements. Specifically, controls 03.05.03 and 03.05.07 mandate the use of MFA for local and network access to privileged accounts and for access to CUI. This control ensures that unauthorized individuals cannot easily gain access to sensitive information.

NIST SP 800-171 maps to the following frameworks: 

Hyperproof for NIST SP 800-171 Compliance

Organizations can reach significant benefits when they align their security and compliance program with a well recognized framework such as NIST SP 800-171, but the comprehensive nature of the guidelines create adoption challenges. Hyperproof’s compliance operations solution makes it much easier for organizations to align their security program to SP 800-171, along with other industry-leading cybersecurity frameworks. Sign up for a personalized demo to see how it works.

Man smiling and standing behind a shield that says NIST SP 800-171

Utilize our NIST SP 800-171 program templates to map your controls against the requirements

Leverage existing controls from ISO 27001 or NIST CSF to satisfy SP 800-171 requirements

Fill out your system security plan and automatically generate an SSP report

Define control health metrics and monitor security controls in real-time

Easily collect evidence of controls’ effectiveness for independent verification

Collaborate with stakeholders seamlessly, as Hyperproof integrates with the productivity tools you already have

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get NIST SP 800-171 ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader