What is NIST SP 800-171? Everything You Need to Know

Posted by Admin on March 12, 2018

What is NIST SP 800-171

Over the past several years, high-profile data breaches have compelled the U.S. government to assess its ability to protect sensitive information, particularly when that information resides within the IT systems of contractors doing business with the government. Learn the basics of NIST SP 800-171 and how Deltek Costpoint Cloud solutions may help you meet the new government security requirements. 

What is NIST SP 800-171?

In June 2015, the National Institute of Standards and Technology (NIST) published a report called, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This special publication, known as NIST SP 800-171, provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when it is handled by nonfederal organizations. NIST SP 800-171 places significant responsibility on contractors that do business with the government, by specifying cybersecurity safeguarding controls they must put in place around their organization, systems, and system components where CUI is handled.

NIST SP 800-171 Rev 1 was published in December 2016 and was last updated in February 2018. The full report can be downloaded here: https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final.

What is Controlled Unclassified Information (CUI)?

Established by Presidential Executive Order 13556, CUI is unclassified information that the U.S. government has deemed necessary to safeguard, since it directly impacts the government’s ability to carry out its designated missions and business operations. CUI can exist in many data formats such as paper documents, electronic files, and digital media. If you provide services or products to the U.S. federal government, you should first understand if you store, process, or transmit CUI and, if so, provide evidence as to how your organization is protecting it. This means you should be prepared to provide documentation describing your technical solutions, policies, and evidence of being able to detect and respond to incidents related to the security of CUI. Learn more about CUI.

Why is NIST SP 800-171 important for CUI?

NIST SP 800-171 is really important because it provides a disciplined and structured approach for handling and protecting CUI that is shared as federal agencies and organizations work together. As organizations provide more services online, store data digitally, and increasingly rely on contractors and other third parties to outsource technology services, the threats facing information security have increased. NIST SP 800-171 contains 14 security controls to help minimize these cybersecurity risks.


Learn How Deltek Costpoint Cloud Solutions

May Help You With NIST SP 800-171  

Learn More Now


What are the 14 security controls in NIST SP 800-171?

Following is a list of the 14 security controls, also called “Security Requirement Families” that contractors should implement for compliance with NIST SP 800-171. A brief description follows. For more detail see chapter 3 of the NIST SP 800-171.

1. Access Control 

Describes who is authorized to access information and how access should be limited to authorized users.

2. Awareness and Training 

Ensures that managers, system administrators and users of information systems with CUI are made aware of security risks, and that the appropriate people have been properly trained.

3. Audit and Accountability 

Ensures information system logs can track authorized and unauthorized access, and can trace/identify users so that they can be held accountable for actions.

4. Configuration Management 

Describes how to establish and maintain baseline configurations and inventories of network and information systems, and how to document change management processes throughout the system development lifecycle.

5. Identification and Authentication 

Describes who is authorized to access CUI and describes authentication/verification methods for accessing resources.

6. Incident Response 

Describes the operations for dealing with data breaches or security threats and the process for reporting incidents.

7. Maintenance 

Describes maintenance done on information systems and the necessary controls on tools and personnel performing that maintenance.

8. Media Protection 

Describes how media containing CUI (both digital and paper) should be protected from unauthorized users and how media containing CUI should be handled for disposal or release for reuse.

9. Personnel Security

Describes how users should be screened prior to granting access to information systems containing CUI, and how systems should be protected during personnel changes such as terminations or transfers.

10. Physical Protection

Describes how physical access to data centers, information systems and storage systems containing CUI should be limited to authorized users.

11. Risk Assessment 

Describes operational risks and how they should be periodically assessed.

12. Security Assessment 

Describes how to assess the effectiveness of security controls on an on-going basis and how to address inefficiencies to limit vulnerabilities.

13. System and Communications Protection 

Describes the use of secure design, development, and engineering principles to promote effective security within information systems.  Also describes how to monitor, control, and protect information transmitted or received by organizational information systems.

14. System and Information Integrity 

Describes process for monitoring and responding to information system flaws and vulnerabilities in a timely manner.

Disclaimer: This content is provided for informational purposes only and should not be relied upon as legal advice. The application and impact of NIST SP 800-171 compliance can vary widely based on the specific facts involved. Readers are cautioned to determine how NIST SP 800-171 compliance applies to their business through independent analysis and consultation with legally qualified professionals.