What is NIST SP 800-171?
NIST SP 800-171 is a special publication created by the National Institute of Standards and Technology (NIST) that outlines the security controls for controlled unclassified information (CUI) or covered defense information (CDI) for Non-Federal Information Systems. The due date for either the implementation of all of the listed security controls OR the identification and documentation of the controls which your organization has yet to implement is December 31st, 2017.
Why was NIST SP 800-171 created?
This framework is designed to provide guidance to contractors and sub-contractors that possess CUI to aid in protecting data and reducing or eliminating security incidents from occurring. The NIST 800-171 framework was developed from NIST SP 800-53 publications which outlines the security requirements for Federal information systems.
What is CUI/CDI?
CUI/CDI is information provided to the contractor by or on behalf of the DoD in connection with the performance of the contract; or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. CUI/CDI also falls in any of the following categories:
- Controlled technical Information
- Critical information: Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activates vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
- Export Control: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license application’ and sensitive nuclear technology information.
- Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government wide policies (e.g., privacy, proprietary business information.
Click here to see the full list of information types that are categorized as CUI
What are the security requirements to comply with NIST SP 800-171?
There are 14 security families with a total of 109 controls and another control for creating and maintaining an Information Systems Security Plan (ISSP). It’s very important to read the NIST document in its entirety.
- Access Controls
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Global / SFC Valve Resources
Useful External Resources
Protecting Controlled Unclassified Information on Non-federal Information Systems and Organizations NIST Special Publication 800-171r1
Assessing Security and Privacy Controls in Federal Information Systems and Organizations NIST Special Publication 800-53r4
Guide for Developing Security Plans for Federal Information System, NIST Special Publication 800-18
Final CUI Rule Requires Contractors to Adopt Uniform Treatment of Confidential Information
Understanding NIST SP 800-171: Details About DFARS Compliance