NIST SP 800-171 & Controlled Unclassified Data: A Guide in Plain English

NIST Special Publication (SP) 800-171 is a list of controls that define Controlled Unclassified Data (CUI) and the security standards for non-federal organizations that handle it. It is roughly similar in intent to NIST 800-53, the “Control Catalog”, but significantly less stringent and focused on non-federal organizations (e.g. federal service integrators, defense contractors, etc.) instead of Federal agencies. It is very closely related to the controls that are needed to achieve Cybersecurity Maturity Model Certification (CMMC) 2.0 framework Level 2 (Advanced) compliance.

Complying with NIST 800-171 is required for any non-federal organization that handles CUI. This includes Prime contractors working for the DoD and their subcontractors, as well as universities and research institutions receiving federal grants. Compliance determines whether these organizations are eligible to do business with the DoD and reap the rewards of the associated federal funds.

What is NIST SP 800-171?

NIST SP 800-171 is a document that provides guidelines to secure sensitive but unclassified federal information (i.e. Controlled Unclassified Data) that resides in nonfederal systems and organizations (e.g. federal service integrators, defense contractors, etc.). You can think of CUI as Personally Identifiable Information (PII) with a few extra categories of information added in like proprietary business information, law enforcement information, or information that could affect national security.

If you are a federal service integrator, defense contractor, or any other business that wants to do business with a federal agency AND will need to process or hold CUI as part of your business then you will need to comply with NIST SP 800-171. More specifically, you will need to comply with the CMMC 2.0 framework. When you meet the certification requirements for Level 2 (Advanced) of the CMMC you will be in compliance with NIST SP 800-171.

Revisions

NIST Special Publication (SP) 800-171 is titled, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. It was originally published in December 2016 as revision 1 and has been updated most recently May 2023 as revision 3. NIST 800-171 has three revisions to date, with the most recent – NIST 800-171 Revision 3 Draft – published in May 2023. 

We’ll provide an overview of each here, starting with the most recent revision: 

NIST 800-171 Rev 3 summary

NIST 800-171 revision 3 was published as a draft in May 2023 and is currently going through the formal publication process which will end with the publication of a final draft later this year. 

This revision is primarily updating the document to stay in line with the other documents that it is tied to. NIST 800-171 is based on NIST SP 800-53 Revision 5 controls and SP 800-53B moderate control baseline. NIST SP 800-53 Revision 5 was published in September 2020. All of those changes have been incorporated into revision 3 of NIST 800-171 including moving from 14 control families to 17. 

Revision 3 has also adopted the use of organization-defined parameters (ODP) to allow organizations to tailor specific values to their circumstances.

If you’d like to read the entire revision in full, you can find it here.

NIST 800-171 Rev 2 summary

NIST 800-171 revision 2 did not contain any significant changes from revision 1. It was published alongside a working draft of NIST SP 800-171B which was a precursor to CMMC.

If you’d like to read the entire revision in full, you can find it here.

NIST 800-171 Rev 1 summary

NIST 800-171 revision 1 was originally created in order to provide guidance to non-federal organizations on how to protect CUI in their IT environments. It was published December 2016.

If you’d like to read the entire revision in full, you can find it here.

NIST 800-171 compliance: Understand the control families

Achieving and maintaining NIST 800-171 compliance requires meeting standards outlined in the special publication’s 17 control families and the 110 corresponding controls. The term “control family” is used to organize the security controls in a manner that makes them easier to reference and manage. Together the NIST 800-171 control families form a checklist of requirements for organizations to follow:

1. Access Control (AC)
   Controls that limit access to information systems and the information they process and store based on the principle of least privilege. Access controls can be both technical (such as logins and passwords) and physical (such as locked doors).
2. Awareness and Training (AT)
   Controls that aim to ensure that individuals within the organization are adequately trained and informed about security risks and their responsibilities towards mitigating those risks.
3. Audit and Accountability (AU)
   Controls that record and examine activity in information systems to detect and respond to security incidents.
4. Configuration Management (CM)
   Controls that focus on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations.
5. Identification and Authentication (IA)
   Controls that ensure the identity of an entity (a user or a system) is verified before access is granted.
6. Incident Response (IR)
   Controls that establish the capability to respond to, manage, report, and learn from information system incidents.
7. Maintenance (MA)
   Controls that involve the routine, periodic, or emergency maintenance of information systems, including any potential security impacts.
8. Media Protection (MP)
   Controls that protect information in print or electronic format from unauthorized access, disclosure, alteration, and destruction.
9. Personnel Security (PS)
   Controls that ensure trustworthiness and appropriate training for roles and responsibilities for individuals having access to the system.
10. Physical Protection (PE)
    Controls that provide measures to safeguard physical resources and support facilities of an information system.
11. Risk Assessment (RA)
    Controls that guide the identification and assessment of risks to organizational operations, assets, or individuals.
12. Security Assessment and Authorization (CA)
    Controls that deal with the initial authorization to operate the system and ongoing monitoring of security controls.
13. System and Communications Protection (SC)
    Controls that protect the integrity of transmissions and information flows in information systems.
14. System and Information Integrity (SI)
    Controls that protect the integrity of information and information systems by protecting against malware, providing intrusion alerts, and ensuring information input and output integrity.
15. Planning (PL)
    Controls that involve system security plans, rules of behavior, and more to guide the implementation and operation of the information system.
16. System and Services Acquisition (SA)
    Controls that address the life cycle of information systems, including system development, system integration, and outsourcing decisions.
17. Supply Chain Risk Management (SR)
    A control family added in Revision 5 that deals with reducing the risk that an adversary will exploit vulnerabilities in the system’s supply chain.

A full list of NIST 800-171 Revision 2 controls organized by family can be found here. This includes the soon-to-be-replaced 14 families and 110 controls. You can view the new proposed control families here.

NIST 800-171 compliance checklist

Compliance is hard and checklists make it easier but this is not a comprehensive checklist of everything you need to do in order to achieve NIST 800-171 compliance. There is an entire industry of businesses that offer services taking you through the steps to become NIST-171 compliant. Anchore partners with many of these companies, if you’re interested in getting a recommendation—reach out.

Regardless, it is important to have a high-level understanding of what goes into achieving NIST 800-171 compliance. Below are the steps that your organization will need to complete in order to achieve this certification.

Step 1: Identify CUI

Begin by identifying the extent of CUI within your organization. Conduct a thorough audit spanning from individual employee devices to the end-user. Automated tools are available to assist in this task. The goal is to gather comprehensive data about the type, usage, and accessibility of your CUI.

Step 2: Classify CUI

Next, you should classify your CUI as per NIST 800-171, which provides 20 recognized categories, each with its unique standards.

Step 3: Perform security assessment

Regardless of the size of your DoD contracting office, a robust security system is crucial. Start by performing a security assessment to gauge your existing cybersecurity capabilities, pinpoint vulnerabilities, and plot the course for enhancement.

Step 4: Install baseline controls

Develop baseline controls to fortify your defenses against external threats, ensuring endpoint security. This forms part of your data protection strategy, designed to prevent cyber incidents.

Step 5: Perform risk assessment

Routine risk assessments are critical to measure the effectiveness of your security measures and devise strategies to safeguard your CUI against emerging threats.

Step 6: Codify security plan

NIST 800-171 compliance necessitates a documented security plan. As you carry out assessments and make changes, your plan should be updated, with each new version clearly dated and revision-numbered.

Step 7: Build a response plan

Your response plan should delineate your organization’s actions following a cyber incident. Should such an incident occur, your response plan facilitates a swift, cost-effective return to normal operations.

Step 8: Educate employees

Upon the completion of the above steps, it’s vital to inform your employees. A well-informed workforce is less likely to fall prey to cyber threats. Therefore, any changes in policies should be promptly communicated to all employees.

While many organizations think about this checklist as a one-time operation or maybe even a once every 3 years activity, organizations at the forefront of cybersecurity understand that the world is moving to a model of continuous re-validation of their security posture. The only way to scale this sort of practice is through automation both in the process and the tools that perform the individual tasks. That’s where NIST compliance solutions come in.

Anchore Enterprise is purpose-built to achieve these goals and enable organizations to re-validate their compliance with standards like NIST 800-171 down to each individual software change request. If you’re interested to see how Anchore Enterprise automates compliance through software policy enforcement be sure to read our blog where we dive into all of the gory details. It is only through scalable, automated security solutions that organizations can both meet and maintain emerging standards like continuous Authority to Operate.

NIST 800-171 DoD Assessment methodology

What is the DoD Assessment methodology? 

The DoD (Department of Defense) Assessment Methodology is the scoring rubric used to determine if an organization is protecting Controlled Unclassified Data (CUI) adequately to do business with the DoD.

The DoD Assessment Methodology was created to evaluate the compliance of its contractors with the cybersecurity requirements outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). The most recent update to DFARS (252.204-7102) was issued in 2016.

Contractors are obliged to demonstrate their ability to securely manage CUI throughout the system development life cycle, guided by the security controls listed in NIST SP 800-171. However, the original DFARS did not establish a mechanism for ensuring contractor compliance with these NIST 800-171 requirements.

Previously, contractors were only required to self-certify that they had plans to implement the necessary controls. But in 2019, the DoD began implementing more stringent, objective assessments of its contractors’ security profiles. This led to the creation of the Cybersecurity Maturity Model Certification (CMMC) which allows contractors to achieve a certification to prove that they are complying with DFARS.

Performing a NIST 800-171 self-assessment 

The Defense Federal Acquisition Regulation Supplement (DFARS) mandates that organizations securely manage CUI, guided by the security controls listed in NIST SP 800-171. Originally the only way to demonstrate compliance was through a self-assessment. NIST has published two different documents to assist with this task.

The first is NIST Special Publication 800-171A which provides a methodology for meeting each individual control that is part of the parent NIST SP 800-171 document. The second is NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 which provides a table with each control and the corresponding score associated with each. After you know which controls have been satisfied and which have not, the scores can help when building a Plan of Action & Milestones (POA&M) and prioritizing which controls to address in which order.

NIST 800-171 vs. 800-53

The primary difference between NIST SP 800-171 and 800-53 is the number of control families, the number of controls and the target audience of the standards.

The security requirements in NIST 800-171 are derived from the moderate control baseline of NIST 800-53 which makes NIST 800-171 a subset of NIST 800-53 with some modifications applied to the individual controls that effectively make them easier to achieve. The reason for this is because these organizations only handle Controlled Unclassified Information (CUI) which is not classified but still considered sensitive or private. You can think of CUI as Personally Identifiable Information (PII) with some additional information tacked on like proprietary business information, law enforcement information or information that could affect national security.

The control families that have been removed from NIST 800-171 are:

• Contingency Planning (CP)
• Program Management (PM)
• Privacy Control (PR)

If you’re interested in reading more, you can read a full breakdown of NIST SP 800-53 and the requirements to achieve compliance here.

Manage & automate NIST compliance

NIST SP 800-171 is comprehensive and extraordinarily intimidating. As agencies are determining whether to accomplish meeting these compliance standards, they have to decide whether to DIY the entire process or work with 3rd party vendors that are experts in the process.

Anchore, in partnership with its many federal service integrator (FSI) partners, has shepherded countless agencies through this process. Anchore provides a number of different features that not only make meeting controls simple but automate the continuous process of maintaining compliance in real time.

The Anchore Enterprise platform was specifically designed to address the software supply chain security of federal agencies. The platform is an automated system that manages a comprehensive inventory of the entire software supply chain, automatically scans all software packages for vulnerabilities and compliance, and utilizes pre-built policy packs to report and ensure compliance standards are met.
If you’re interested in learning more about how Anchore can help your organization meet its compliance requirements, learn more by visiting our public sector page.