NIST 800-171 is a set of cybersecurity standards that protect Controlled Unclassified Information (CUI) handled by non-federal organizations. It specifies security controls that keep sensitive data confidential, intact, and available. Unlike other standards, NIST 800-171 is designed specifically with CUI in mind, so it stresses a robust, comprehensive approach to data protection.
In this article, we’ll explore the ins and outs of NIST 800-171 compliance, including how it fits within the broader NIST standards and who needs to comply. We’ll also discuss some cloud security best practices to help you keep data safe.
Why is NIST 800-171 important to your security program?
The U.S. National Institute for Standards and Technology (NIST) provides three major frameworks for cybersecurity standards:
The NIST Cybersecurity Framework (CSF) provides overarching general cybersecurity standards. It is never mandatory, but organizations may choose to adopt it as a cybersecurity roadmap to build their security policies.
NIST 800-53 is the most comprehensive and stringent framework. It is mandatory for federal agencies and contractors that use federal information systems.
NIST 800-171 is derived from a subset of NIST 800-53. It is mandatory for non-federal organizations that handle Controlled Unclassified Information (CUI).
Each framework groups its requirements, known as controls, into families. NIST 800-53 is highly complex, with 1,000+ controls in 20+ families. NIST 800-171, on the other hand, contains only 100+ controls in 17 families (as of this writing). This is a shorter list than NIST 800-53 because NIST 800-171 includes only the sections of NIST 800-53 that relate to handling data.
NIST 800-171, officially known as “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” covers the entire CUI lifecycle: marking, safeguarding, transporting, disseminating, reusing, and disposing of data.
While NIST 800-171 controls keep data confidential, they also ensure data integrity by preventing data from being accessed or modified without permission.
Complying with NIST 800-171 indicates a level of cybersecurity maturity. That means your organization can be trusted to work with U.S. federal government agencies, such as the Department of Defense, GSA, NASA, and other agencies, either directly or indirectly as a subcontractor.
Free Cloud Security Risk Assessment
Connect with a Wiz expert for a personal walkthrough of the critical risks in each layer of your environment.
Request My Assessment
What are some key requirements of NIST 800-171?
NIST 800-171 gathers industry best practices into the following control families (as of the most recent NIST 800-171 release):
| Control family | Full name | General purpose |
|---|---|---|
| 03.01 | Access Control (AC) | Restrict access so that only authorized users can reach sensitive systems and data. |
| 03.02 | Awareness and Training (AT) | Educate employees and relevant personnel on cybersecurity risks and best practices to protect CUI. |
| 03.03 | Audit and Accountability (AU) | Track system activities, detect anomalies, and maintain records. |
| 03.04 | Configuration Management (CM) | Establish and maintain baselines for system configurations and track changes. |
| 03.05 | Identification and Authorization (IA) | Check user identities and authenticate access to systems and data. |
| 03.06 | Incident Response (IR) | Plan and carry out effective, efficient security incident response. |
| 03.07 | Maintenance (MA) | Regularly maintain and update systems to ensure ongoing data security. |
| 03.08 | Media Protection (MP) | Securely handle and dispose of media containing CUI throughout its lifecycle. |
| 03.09 | Personnel Security (PS) | Perform background checks and use appropriate security measures for personnel handling CUI. |
| 03.10 | Physical Protection (PE) | Safeguard physical access to facilities, equipment, and systems. |
| 03.11 | Risk Assessment (RA) | Identify, analyze, and assess potential threats to and vulnerabilities in CUI. |
| 03.12 | Security Assessment and Monitoring (CA) | Regularly assess and monitor security controls. |
| 03.13 | System and Communications Protection (SC) | Block systems and communications from being accessed and used without permission. |
| 03.14 | System and Information Integrity (SI) | Prevent unauthorized data modifications to ensure its accuracy. |
| 03.15 | Planning (PL) | Develop and maintain security plans to address CUI-related needs and risks. |
| 03.16 | System and Services Acquisition (SA) | Acquire systems and services that meet security requirements and incorporate security considerations. |
| 03.17 | Supply Chain Risk Management (SR) | Evaluate and manage the cybersecurity posture of third-party suppliers who handle CUI. |
Who needs to comply with NIST 800-171?
All U.S. federal agencies that use federal information systems to process, store, or transmit CUI must comply with NIST 800-171. Subcontractors handling CUI on behalf of these agencies or their contractors must also comply with NIST 800-171.
CUI includes data that doesn’t pose a risk to national or state security. It is unclassified, but it must be controlled for privacy. CUI might include personally identifiable information (PII), financial data, proprietary business information (PBI), critical infrastructure information (CII), export-controlled information (ECI), and law enforcement sensitive (LES) information.
If your organization collects or maintains CUI for U.S. government agencies, you probably need to follow the cybersecurity model maturity certification (CMMC) assessment process and demonstrate NIST 800-171 compliance at one of the following levels:
Level 1 (Self-Assessed) includes a limited number of key security controls selected from NIST 800-171.
Level 2 (Self-Assessed) includes all 100+ NIST 800-171 Level 2 controls.
Level 2 (C3PAO) includes all NIST 800-171 Level 2 controls. Compliance is verified by a CMMC Third-Party Assessment Organization (C3PAO).
Level 3 (DIBCAC) includes 20+ additional controls from NIST SP 800-172. Compliance must be verified by a C3PAO and by request to the Department of Defense’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for approval. This level is generally required only for defense contractors handling very sensitive data.
When bidding on a government contract, you may notice that the invitation to tender specifies a CMMC level with language like "Bidders must demonstrate compliance with Cybersecurity Maturity Model Certification (CMMC) Level [Level Number] as outlined in NIST Special Publication 800-171." Watch for keywords like "CUI," "cybersecurity," or specific CMMC references.
Here are some situations in which organizations must comply with NIST 800-171:
NIST compliance example #1: A cybersecurity consulting firm
A cybersecurity consulting firm provides network security solutions for the U.S. Department of Homeland Security and handles CUI such as network diagrams, vulnerability assessments, and security incident reports. As a direct contractor handling CUI, this organization must comply with NIST 800-171.
NIST compliance example #2: A university research lab
A university research lab handles PII, personal health information (PHI) for research subjects, along with other research data. This lab interacts with U.S. government agencies like the NSF and NIH, so they would need to comply with NIST 800-171.
NIST compliance example #3: An automotive manufacturer
An automotive manufacturer provides parts for military vehicles to a Department of Defense contractor, handling proprietary design data and supply chain information. As a subcontractor handling CUI on behalf of a DoD contractor, this organization must comply with NIST 800-171.
What are some simple best practices for NIST 800-171 compliance?
Here are a few steps that’ll save you work in achieving NIST 800-171 compliance:
Understand what CUI you’re handling and its sensitivity level, where it resides (across all cloud providers), and how you use that data throughout its lifecycle, from creation to destruction.
Read through the NIST 800-171 requirements and controls and how they relate to the type of data you’re handling.
Conduct a thorough risk assessment to identify threats and vulnerabilities in your data security posture.
Finally, develop a detailed compliance roadmap with clear timelines and responsibilities.
Simplifying cloud compliance with Wiz
Compliance is important to your business, but it shouldn’t distract your team from other tasks. To simplify the work involved, choose tools that provide maximum visibility across your entire environment (even multi-cloud) and support automation and integration so that nothing falls through the cracks.
As a cloud native application protection platform (CNAPP), Wiz integrates data security posture management (DSPM), cloud security posture management (CSPM), and cloud infrastructure entitlement management (CIEM), along with other tools that simplify NIST compliance—all behind a single pane of glass.
Wiz will also keep up with changes in NIST 800-171 and other regulatory standards like HIPAA and GDPR, updating automatically and flagging issues as standards evolve.
Wiz streamlines cloud compliance with your other security tasks, with:
Full visibility across your entire cloud infrastructure
Automated checks for 100+ standards, including NIST 800-171
Continuous updates for threat intelligence and patching to defend against the latest risks
Automated compliance assessments make your internal audits easy so you can swiftly resolve any issues. Plus, if you need to follow custom frameworks, Wiz provides custom-tailored compliance assessments, freeing your teams from manual drudgework.
Better yet? Wiz rolls out agentlessly, getting you up to speed with streamlined reporting and tools like the Wiz Security Graph for a single prioritized view of cloud risks, with deep context across all your clouds, so you can solve urgent issues first.
To find out why ratings from passionate users have made Wiz a G2 Top 50 Security Product, get a free Wiz demo today.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
