What is NIST 800-171?

NIST 800-171, also known as "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is a set of cybersecurity guidelines and requirements published by the National Institute of Standards and Technology (NIST) in the United States. These guidelines are designed to help nonfederal organizations, including contractors and subcontractors that work with the U.S. government, protect Controlled Unclassified Information (CUI) in their information systems.

NIST 800-171 provides a framework of security controls and requirements that organizations must implement to ensure CUI's confidentiality, integrity, and availability. It outlines 14 families of security requirements, each containing specific controls and guidelines related to topics such as access control, incident response, risk assessment, and security training.

Compliance with NIST 800-171 is often a contractual requirement for organizations that do business with the U.S. government, primarily when they handle CUI. Failure to meet these requirements may result in contract termination or other legal consequences.

Who Does NIST 800-171 Apply To?  

NIST 800-171 primarily applies to government contractors and subcontractors that handle CUI in their work for agencies like the Department of Defense (DoD), General Services Administration (GSA), and NASA.

Here's a broader breakdown of entities that might need to comply with NIST 800-171:

Contractors and subcontractors working with the US government
Universities and research institutions receiving federal grants that involve CUI
Consulting firms with federal contracts that necessitate handling CUI
Service providers working with federal agencies and potentially handling CUI
Manufacturing companies supplying goods to the government, if CUI is involved

How to Become NIST 800-171 Compliant

1. Understand CUI and Its Classification:
Identify all CUI within your organization. This includes government contracts, healthcare data, and critical infrastructure information.

2. Familiarize Yourself with NIST 800-171 Requirements:

The document outlines 110 controls divided into 14 families, addressing access control, risk assessment, incident response, and more. The publication is on the NIST website.

3. Conduct a Cyber Risk Assessment:

Develop a cyber risk assessment outlining how your organization meets each NIST control. This plan should detail your security policies, procedures, and systems in place to protect CUI.

Discover CyberStrong's cyber risk assessment tool here.

4. Implement Security Measures:

Based on the risk assessment, prioritize and implement the necessary security controls. This might involve strengthening access controls, encrypting data, or improving incident response protocols.

5. Ongoing Monitoring and Maintenance:

Regularly assess the effectiveness of your security measures and update your cyber risk assessment as needed. Remember, cybersecurity is an ongoing process.

What is the Difference Between CMMC and NIST 800-171?

NIST 800-171 is a set of guidelines and best practices for organizations that handle CUI.  It outlines controls to safeguard CUI, but achieving compliance is voluntary. CMMC (Cybersecurity Maturity Model Certification) is a certification program developed by the DoD). Defense contractors must be audited by an approved assessor to demonstrate their cybersecurity maturity level. CMMC certification is mandatory for DoD contractors. 

What is the Difference Between NIST 800-53 and NIST 800-171?

NIST 800-53 is designed for federal organizations and their information systems. It provides a comprehensive framework for protecting all federal information, including CUI and other sensitive data. Think of it as a rulebook for federal government agencies. NIST 800-171 targets non-federal organizations that handle CUI. It outlines security controls focused on safeguarding CUI but applies to a broader range of entities, including government contractors, subcontractors, and any organization entrusted with CUI.

Return to NIST Glossary