NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171 or NIST 800-171), provides federal agencies with a set of guidelines designed to ensure that Controlled Unclassified Information (CUI) remains confidential and unchanged in nonfederal systems and organizations.
The protection of CUI is of paramount important to federal agencies and can directly impact their ability to successfully conduct its assigned missions and business operations.
Specifically, NIST SP 800-171 provides a set of recommended security requirements for protecting the confidentiality of CUI that:
- Resides in nonfederal systems and organizations
- Is not collected or maintained on behalf of a federal agency or using or operating a system on behalf of an agency
- Has no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation or government-wide policy for the CUI category or a subcategory.
The security requirements are intended for use by federal agencies in contractual vehicles or agreements established between those agencies and nonfederal organizations.
Why is NIST SP 800-171 Important?
Today, more than any time in history, the U.S. government relies on external service providers to carry out a wide range of missions and business functions.
For example, many federal contractors routinely process, store and transmit sensitive information in their systems to support the delivery of products or services to federal agencies.
Additionally, federal information is frequently provided to or shared with state and local governments, colleges, universities and independent research organizations.
NIST SP 800-171 is important because it is designed to protect sensitive federal information residing in third-party vendors, government contractors or service providers.
This is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those related to critical infrastructure.
Previous OPSEC failures have shown us sensitive data can be grouped together to illuminate otherwise clandestine plans.
What is the Purpose of NIST SP 800-171?
NIST SP 800-171 was created to provide guidelines around security requirements for protecting Controlled Unclassified Information (CUI).
It does this by providing a set of 14 security requirement categories that support the development of secure and resilient data processing.
These security controls are operational, technical and management safeguards, that when used, maintain the confidentiality, integrity and availability and prevent unauthorized access of sensitive information.
This approach is designed to help nonfederal entities to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches.
These security requirements apply to any component of nonfederal systems and organizations that process, store or transmit CUI, or provide security protection for a component.
Note: the use of information system has been replaced by the term system to reflect a more broad-based, holistic definition that could include general purpose information systems, industrial and process control systems, cyber-physical systems and individual devices that are part of the Internet of Things (IoT).
NIST SP 800-171, like NIST SP 800-53, is part of the NIST Special Publications (SP) 800 series which are based on the Information Technology Laboratory's (ITL) research and guidelines.
The 800 series is designed to provide a multi-tiered approach to risk management through control compliance and security measures.
As a whole, they provide federal agencies and their supply chain with minimum acceptable information security standards for managing sensitive government data.
Who is the Intended Audience for NIST SP 800-171?
NIST SP 800-171 serves a diverse set group in both the public and private sector including but not limited to individuals with:
- System development life cycle responsibilities (e.g. program managers, business owners, information owners, system designers and developers, security engineers and system integrators)
- Acquisition or procurement responsibilities (e.g. contracting officers)
- System, security, risk management or oversight responsibilities (e.g. authorizing officials, chief information officers, chief information security officers, system owners, information security managers)
- Security assessment and monitoring responsibilities (e.g. auditors, system evaluators, assessors, independent verifiers, analysts)
The above roles and responsibilities are not all-encompassing and should be viewed from two distinct perspectives, the federal entity establishing and conveying the security requirements in contracts or other interorganizational agreements and the nonfederal entity responding to and complying with the security requirements outlined in contracts or agreements.
Who Must Comply With NIST SP 800-171?
Any federal agency who engages with third-parties and any nonfederal system or organization who is used by a federal agencies.
Additionally, the Department of Defense (DoD) has started requiring NIST SP 800-171 compliance for all its contracts and DoD contractors via DFARS. In fact, all research projects governed by the a DoD contract must be in compliance with NIST 800-171 as of December 2017.
You can use this free NIST 800-171 questionnaire template to assess each vendor's alignment with NIST 800-171 principles.
What are the Benefits of Complying NIST SP 800-171?
NIST SP 800-171 provides a standardized way to handle Controlled Unclassified Information (CUI).
The CUI Program addresses several deficiencies in managing and protecting unclassified information including inconsistent marketings, inadequate safeguarding and needless restrictions by standardizing procedures and providing common definitions through the CUI Registry.
By complying with NIST SP 800-171, you will also meet the majority of the criteria for NIST SP 800-53 and compliance with NIST SP 800-53 is a major part of FISMA and FedRAMP compliance.
It will also improve your organization's security posture and prevent data breaches by providing a secure foundation for information processing.
Additionally, complying with NIST SP 800-171 and other best practices can help your organization comply with other data protection laws and regulations including the SHIELD Act, LGPD, GDPR, CCPA, GLBA, PIPEDA, HIPAA, PCI DSS and 23 NYCRR 500.
How to Comply With NIST SP 800-171
NIST SP 800-181 outlines 14 families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations.
Additionally, organizations can use the security controls from NIST SP 800-53 to obtain additional, non-prescriptive information related to the security requirements and supplemental guidance about how they relate to each other.
As an example, control 3.1.19 requires organizations to “Encrypt CUI on mobile devices and mobile computing platforms".
Nonfederal organizations must create a system security plan (SSP) that describes how the specified security requirements are met. The SSP should describe the system boundary, operational environment, how security requirements are implemented and the relationships with or connections to other systems.
For any unimplemented security requirements, a plan of action should be created to describe how they will be met and how any planned mitigations will be implemented.
Organizations can document the system security plan and plan of action as seperate or combined documents in any chosen format.
When requested, the system security plan and associated plan of action can be submitted to the responsible federal agency or contracting officer to demonstrate your implementation or planned implementation of the security requirements.
These documents will feed into the federal agency's overall risk management decision to process, store or transmit CUI through your system or organization.
This checklist will support your NIST 800-171 compliance efforts.
What are 14 Security Requirement Categories in NIST SP 800-171?
- Access Control
- Awareness Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Read about the underlying security requirements in the NIST SP 800-171 paper here.
What is the Definition of Controlled Unclassified Information (CUI)?
Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
The approved CUI categories are outlined in the CUI Registry.
What is the CUI Registry?
The CUI Registry is an online repository for information, guidance, policy and requirements on handling CUI.
Additionally, the CUI Registry identifies the basis for controls, ans sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing and disclosing the information.
What are the Approved CUI Categories?
The approved CUI categories are:
- Critical infrastructure
- Defense
- Export control
- Financial
- Immigration
- Intelligence
- International agreements
- Law enforcement
- Legal
- Natural and cultural resources
- NATO
- Nuclear
- Patent
- Privacy
- Procurement and acquisition
- Proprietary business information
- Provisional
- Statistical
- Tax
- Transportation
Read more about the CUI categories here.
How Does NIST SP 800-171 Relate to FISMA?
The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations and assets against natural and manmade threats including cyber attacks, data breaches and data leaks.
FISMA requires federal government agencies, state agencies with federal programs and private-sector firms that support, sell to or receive services from the government to develop, document and implement risk-based information security policies and procedures based on the NIST 800 series.
How Does NIST SP 800-171 Relate to FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is designed to enable easier contracting for federal agencies with cloud service providers.
The process of FedRAMP certification requires a third-party assessment organization (3PAO) to assess security controls of the cloud service provider.
This is done through a Security Assessment Plan (SAP), performing initial and periodic assessments of security controls and producing a Security Assessment Report (SAR).
These assets are then submitted to the Joint Authorization Board or an agency to review.
If authorized, cloud service providers are awarded an Authority to Operate (ATO) and are placed on the FedRAMP marketplace for other agencies to find services that meet their needs and security requirements.
The ATO attestation is reviewed on an annual basis by the 3PAO or more frequently if there is any deviation requests or significant changes.
Who Published NIST SP 800-171?
NIST SP 800-171 is published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the Department of Commerce.
NIST was set up to encourage and assist in innovation and science through the promotion and maintenance of a set of industry standards, such as the NIST Cybersecurity Framework.
NIST SP 800-53 is one of those standards and guidelines designed to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). NIST's other remit to develop Federal Information Processing Standards (FIPS).
When Was NIST SP 800-171 Last Updated?
The most recent updated was Revision 1 in December 2016.
This was an errata update that included minor editorial changes to select CUI security requirements, additional references and definitions and a new appendix that contained an expanded discussion about each CUI requirement.
The largest change was a name change from Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations to Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, reflecting that as computing platforms and technologies are increasingly deployed ubiquitously worldwide and systems and components are connected through wired and wireless networks, the susceptibility of CUI to loss or promise grows-as does the potential for adverse consequences resulting from such occurrences.
How UpGuard Can Improve Your Cybersecurity
UpGuard helps companies secure their third-party attack surface by addressing the complete lifecycle of Vendor Risk Management, including:
- Due Diligence - Secure the vendor onboarding process with a vast library of industry-standard security assessments, including NIST CSF and NIST 800-53.
- Attack Surface Monitoring - By combining point-in-time assessments with security ratings, UpGuard supports real-time awareness of emerging vendor security risks and supply chain attack threats.
- Regulatory Compliance tracking - Track the regulatory compliance efforts of all your third-party vendors and identify compliance gaps increasing your risk of suffering costly violations.
- Data Leak Detection - Detect and shut down data leaks on the dark web before they're used to facilitate data breaches.