An Overview of NIST SP 800-171

In this article, you will discover:

• What is NIST SP 800-171 and CUI
• NIST SP 800-171 requirements and who they apply to
• What to do to comply with NIST SP 800-171

What is NIST SP 800-171?

NIST SP 800-171 (or just 800-171) was developed by the National Institute of Standards and Technology (NIST), outlining requirements for non-federal computer systems handling controlled unclassified information (CUI).

What is CUI?

Controlled Unclassified Information (CUI) is unclassified information belonging to the federal government that is sensitive and therefore needs safeguarding.

There are numerous categories of CUI, including:

• Electronic files
• Emails
• Email attachments
• Proprietary information
• Designs and specifications
• Paper documents

So, what type of information would be regarded as sensitive but not classified?

Consider the specifications for a component utilized in military aircraft production as an example. While not classified and seemingly insignificant on its own, such information can facilitate industrial espionage by foreign adversaries, enabling them to glean critical insights into the aircraft’s overall design.

Who Does NIST SP 800-171 Apply To?

NIST SP 800-171 is mandated for any non-federal entity (contractors, vendors, suppliers) that processes, stores, transmits, or protects CUI for the Department of Defense (DoD), General Services Administration (GSA), National Aeronautics and Space Administration (NASA), or other federal and state agencies. 

NIST SP 800-171 Requirements

110 requirements in SP 800-171 are organized into 14 “families”, addressing various aspects of an organization’s IT infrastructure, policies, and procedures. Below is a summary of the requirement families (further information on the publication can be accessed here):

1. Access Control (22 requirements): family outlines access control requirements, such as limiting system access to authorized users, separating duties to mitigate malicious activity, implementing the principle of least privilege, and employing various security measures for remote access and mobile devices.
2. Awareness and Training (3 requirements): family emphasizes the importance of ensuring that personnel at all levels are aware of security risks and adequately trained in information security-related tasks, including recognizing and reporting potential indicators of insider threats.
3. Audit and Accountability (9 requirements): requires maintaining information system audit records to facilitate monitoring and analysis of system activity, as well as ensuring traceability of individual user actions. It also emphasizes the need for reviewing and updating audited events, alerting in case of audit process failure, and restricting management of audit functionality to privileged users.
4. Configuration Management (9 requirements): focuses on establishing and maintaining baseline configurations and security settings for organizational information systems, including hardware, software, and firmware, throughout their development life cycles.
5. Identification and Authentication (11 requirements): outlines the need to identify and authenticate users, processes, or devices accessing organizational information systems, emphasizing measures such as multi factor authentication, replay-resistant mechanisms, and password management policies.
6. Incident Response (3 requirements): mandates the establishment of an incident-handling capability for organizational information systems, covering preparation, detection, analysis, containment, recovery, and user response, with additional provisions for incident tracking, documentation, reporting, and testing to ensure effectiveness.
7. Maintenance (6 requirements): necessitates regular maintenance of information systems and managing maintenance tools, techniques, mechanisms and personnel. 
8. Media Protection (9 requirements): ensures the protection of information system media holding CUI, both physical and digital formats. It also mandates controlling access to CUI on such media and requires the sanitization or destruction of media before disposal or reuse.
9. Personnel Security (2 requirements): involves screening individuals before granting access to CUI information systems and ensuring the protection of CUI and related systems during and after personnel changes like terminations or transfers.
10. Physical Protection (6 requirements): aims to restrict physical access to organizational information systems and equipment, and monitor the physical facility and infrastructure supporting these systems.
11. Risk Assessment (3 requirements): requires periodic risk assessments of organizational operations, people and assets.
12. Security Assessment (4 requirements): involves regularly assessing and monitoring the effectiveness of security controls in organizational information systems, addressing any deficiencies or vulnerabilities, and maintaining up-to-date system security plans.
13. System and Communications Protection (16 requirements): emphasizes monitoring and safeguarding organizational communications, along with employing architectural designs and software techniques to enhance information security. Some examples include separating user functionality from management, preventing unauthorized data transfer, and employing cryptographic mechanisms for data protection.
14. System and Information Integrity (7 requirements): focuses on identifying, addressing, and responding to information system flaws, protecting against malicious code, and promptly acting on security alerts and advisories.

How to Comply with NIST SP 800-171

To ensure compliance with NIST 800-171 requirements, organizations can follow these six steps:

1. Locate and Identify CUI: Identify systems and solutions within the network that store and transfer CUI, including:
   1. Local Storage 
   2. Cloud Storage 
   3. Endpoints
   4. Portable Hard Drives or Devices
2. Categorize CUI: Split the identified data into two categories: CUI and non-CUI and prioritize the protection of CUI.
3. Implement Required Controls: Encrypt CUI in transit and at rest, and enforce access controls to restrict unauthorized access. Utilize secure file sharing solutions for effective access management.
4. Train Your Employees: Provide comprehensive training on handling CUI in compliance with NIST 800-171 standards. Regularly communicate compliance updates to employees to ensure ongoing awareness.
5. Monitor Your Data: Establish robust monitoring mechanisms to track access to CUI and user activities. Implement solutions for recording and auditing user actions to maintain accountability.
6. Assess Your Systems and Processes: Conduct regular security assessments to evaluate the effectiveness of security controls and identify vulnerabilities. Adapt security measures to address changing organizational needs and evolving threats.

Sign up for Agency today and find more about ways to stay NIST SP 800-171 compliant.