Submitted by on
Home> Guides> Governance> NIST Special Publication (SP) 800-171

Home > Federal Contract Information

NIST Special Publication (SP) 800-171

Share this Page

Let’s jump in and learn:

What Is NIST Special Publication 800-171?

NIST SP 800-171 is for Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. All nonfederal computer systems, including those used by third parties, partners, and contractors, must adhere to NIST SP 800-171 to safeguard CUI that is processed, transmitted, or stored through their system(s). NIST SP 800-171 was created to provide a framework for protecting CUI shortly after the Federal Information Security Management Act (FISMA) was enacted.

NIST SP 800-171 standardizes cybersecurity across all CUI to ensure it is adequately protected from threats, such as ransomware attacks and hacking.
What Is Controlled Unclassified Information (CUI)?

CUI is sensitive information that belongs to the federal government. Government agencies or contractors can create CUI, requiring safeguarding or dissemination controls. Examples of CUI include:

  • Designs and specifications
  • Electronic files
  • Email attachments
  • Emails
  • Paper documents
  • Proprietary information

The NIST SP 800-171 framework establishes a minimum standard of cybersecurity controls that contractors and partners need to implement. According to the National Institute of Standards and Technology (NIST), the purpose of NIST SP 800-171 is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI:

1. When the CUI is resident in a non federal system and organization 

2. When the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency

3. Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry

Among the many federal agencies and organizations that require NIST SP 800-171 compliance are:

  • Consulting companies with federal contracts
  • Contractors for the Department of Defense (DoD
  • Contractors for the General Services Administration (GSA)
  • Contractors for the National Aeronautics and Space Administration (NASA)
  • Manufacturing companies supplying goods to federal agencies
  • Service providers for federal agencies
  • Universities and research institutions supported by federal grants

What Is the Difference Between NIST 800-53 and NIST 800-171?

NIST SP 800-53NIST SP 800-171
Audience● Federal agencies

● Sub-contractors, including vendors, suppliers, and contractors that access federal IT or operate IT systems on behalf of an agency

● State and local governments with access to federal information that manage federal programs like student loans, unemployment insurance, or Medicare/Medicaid

● Non Federal entities who store or process CUI in their network(s)

● A wide range of government contractors and subcontractors across the public sector supply chain. For example, compliance with NIST SP 800-171 is a contractual requirement for companies that work with NASA, the Department of Defense (DoD), or the General Services Administration (GSA)
LevelsThree control baselines for low, moderate, and high-impact systemsModerate baseline as standard
PurposeSet forth guidelines and security controls to protect information systems and sensitive informationSet forth guidelines and security controls to protect CUI
Controls20 control families, more than 1,000 controls, and control enhancements

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Assessment, Authorization, and Monitoring
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response (IR)
9. Maintenance
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Personnel Security
15. Personally Identifiable Information (PII) Processing and Transparency
16. Risk Assessment
17. System and Services Acquisition
18. System and Communications Protection
19. System and Information Integrity
20. Supply Chain Risk Management		14 control families, 110 security requirements

1. Access Controls
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Physical Protection
10. Personnel Security
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

What Is the Difference Between NIST SP 800-171 and 800-172?

NIST SP 800-172 includes all of the control requirements of NIST SP 800-171, plus enhanced controls designed to address sophisticated advanced persistent threats or ATPs. While NIST SP 800-171 is a requirement for every contract that involves handing of CUI, NIST SP 800-172 security requirements are only applicable when mandated by a federal agency in a contract, grant, or other agreement. Organizations required to comply with both NIST SP 800-171 and NIST SP 800-172 include those that process CUI or provide services for critical government programs and thus need to be compliant, such as:

  • Federal service providers of financial, cloud, or communications systems
  • Research institutions processing or storing high-risk CUI as part of their research projects
  • Service providers processing CUI for critical industries like energy, manufacturing, healthcare, or defense

NIST SP 800-171 and SP 800-172 are made up of 14 control families and contain the same 110 control requirements. However, NIST SP 800-172 includes 35 additional security requirements for protecting CUI's confidentiality, integrity, and availability in nonfederal systems. Among the control requirements included in NIST SP 800-172 are multi-factor authentication (MFA), basic security training requirements that are expanded to include coverage of social engineering, advanced persistent threat actors, data breaches, and suspicious behaviors, and the need to perform actual threat hunting activities in the environment. These are part of a suite of enhanced security requirements selected to provide the foundation for a multi-dimensional, defense-in-depth protection strategy that includes three mutually supportive and reinforcing components:

  • Penetration-resistant architecture
  • Must use technology and procedures to limit the opportunities for an adversary to compromise the system(s)
  • Damage limiting operations
  • Detect compromises and limit the effects of both detected and undetected system compromises
  • Cyber resiliency and survivability design
  • Anticipate, withstand, and recover from an attack

With regard to the Cybersecurity Maturity Model Certification (CMMC 2.0), NIST SP 800-171 is correlated to CMMC Level 1 and Level 2 for the minimum level of certification to handle CUI. CMMC Level 3 requires everything from NIST SP 800-171. as well as the enhanced security requirements of NIST SP 800-172.

How Many Controls Does NIST SP 800-171 Have?

NIST SP 800-171 14 has control families with 110 security requirements.

1. Access Controls

2. Awareness and Training

3. Audit and Accountability

4. Configuration Management

5. Identification and Authentication

6. Incident Response

7. Maintenance

8. Media Protection

9. Physical Protection

10. Personnel Security

11. Risk Assessment

12. Security Assessment

13. System and Communications Protection

14. System and Information Integrity

How Does CMMC Relate to NIST?

The U. S. Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) to assess and enhance the cybersecurity posture of contractors who provide goods and services to the DoD. The CMMC is a collection of cybersecurity requirements associated with three certification levels. Depending on the types of information a contractor handles, the DoD obligates them to prove their cyber maturity at the appropriate level. NIST SP 800-171 was developed in coordination with private and public contractors and other cybersecurity stakeholders to establish cybersecurity standards across industries to ensure consistency with regard to protecting CUI. CMMC draws from NIST publications for much of the criteria for its maturity levels. The controls for CMMC Level 2 include the 110 requirements from NIST SP 800-171, and CMMC Level 3 consists of the requirements from NIST SP 800-172. CMMC also contains components of NIST SP 800-53.

NIST SP 800-171 Protects CUI to Bolster National Security

National adversaries target CUI, because it has fewer controls than classified information. When aggregated, CUI poses significant risks to national security. NIST SP 800-171 standardizes cybersecurity across all CUI to ensure it is adequately protected from threats, such as ransomware attacks and hacking.

Last Updated: 13th September, 2023

Share this Page

Get started with Egnyte.

Request Demo

Additional Resources

CMMC 2.0: Navigating the New Regulations

Learn about the significance of CMMC 2.0 and more from our SME.

Watch Now

FCI Security

Learn more about why any organization working with the DoD and handling FCI and CUI must adhere to the CMMC 2.0 guidelines.

Read Now

Controlled Unclassified Information (CUI)

See how the controlled unclassified information program represents one of the federal government’s most sweeping requirements.

Read More

 
Contents
  1. What Is Considered Federal Contract Information?
  2. What Is the Difference Between Federal Contract Information and CUI?
  3. FCI vs. CUI Comparison Chart
  4. What Are the Three Types of Federal Contracts?
  5. Know the Rules for Handling Federal Contract Information