The Center for Internet Security found that all types of attacks against government agencies increased in frequency last year. In the United States, this has been a cause for concern for decades, as the frequency, complexity, and economic implications of these attacks have continually increased.

In response, the US government has committed to releasing and updating information security standards and frameworks for reducing risk and improving data security. NIST 800-171 is one such framework designed specifically to protect sensitive government data that is critical to US national and economic security, including intellectual property. 

In this guide, we’ll cover the fundamentals of NIST 800-171 compliance, including its latest requirements and controls, how to comply, and how it relates to other federal frameworks.

What is NIST 800-171?

NIST 800-171 is a special publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) in nonfederal systems and organizations. The primary aim of NIST 800-171 is to ensure that sensitive data in regard to US national security remains secure when handled by contractors and subcontractors.

Examples of CUI, or other names for it, include:

• Personally Identifiable Information (PII)
• Proprietary Business Information (PBI)
• Confidential Business Information (CBI)
• Unclassified Controlled Technical Information (UCTI)
• Sensitive But Unclassified (SBU) Information

NIST 800-171 Rev. 3

Published in May 2024, NIST 800-171 Rev. 3 is the latest major release of the framework. This revision was designed to help businesses that contract with the federal government to better understand how to implement the specific safeguards provided in NIST 800-53 and to help maintain consistent defenses against new and evolving high-level threats to CUI. 

Here are some of the most significant changes to Revision 3:

• Security requirements and families were updated to reflect the latest version of NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline in particular. Namely, three security requirement families, made up of nine new controls in total, were added. These were Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR), all of which are already part of NIST 800-53. 
• Also to better reflect NIST SP 800-53 Rev. 5, previously designated Non-Federal Organization (NFO) controls were either incorporated into the main body of 800-171 requirements as directly related or scoped out as Not Directly Related to Protecting the Confidentiality of CUI (NCO). 
• Despite these additions, the total number of controls has dropped from 110 in Rev. 2 to 97 in the Rev. 3 since many Rev. 2 controls were withdrawn and/or subsumed into other controls.
• Determination statements in 800-171A increased from 320 to 422.
• Significant changes were made to almost 50 security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments.
• Organization-defined parameters (ODP) in selected security requirements were introduced to increase flexibility and help organizations better manage. These are parameters similar to those seen in NIST 800-53 and FedRAMP.
• Other Related Controls (ORC) was introduced as a new tailoring category to address redundancy in requirements.
• Removed the basic/derived levels that were seen in Rev. 2.

The information below reflects this latest version of NIST 800-171. 

Who does NIST 800-171 apply to?

NIST 800-171 applies to any non federal entity that processes, stores, or transmits CUI or provides protection for such components on behalf of a federal agency. This includes contractors, subcontractors, vendors, service providers, and other organizations that store or share this type of sensitive information on behalf of a federal agency.

While NIST 800-171 compliance is typically a requirement in contracts with any federal agency, it is always a requirement in contracts with the Department of Defense (DoD). Defense contractors are required by DFARS clause 252.204-7012 to implement NIST 800-171 requirements to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts.

Additionally, manufacturers that are part of the supply chain of the DoD, General Services Administration (GSA), NASA or other federal or state agencies must implement the security requirements included in NIST SP 800-171.

NIST 800-171 requirements

NIST 800-171 outlines 17 families of recommended security requirements. These represent a subset of the NIST 800-53 controls that are necessary to protect the confidentiality of CUI in nonfederal systems and organizations. These families are:

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Security Assessment and Monitoring (CA)
• Configuration Management (CM)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical Protection (PE)
• Planning (PL)
• Personnel Security (PS)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
• Supply Chain Risk Management (SR)

Each family consists of several specific requirements that organizations must implement to ensure the security of CUI. 

Please note that all 17 families can be found in NIST 800-53 but not all control families from NIST 800-53 are part of NIST 800-171. The following families from SP 800-53 are not included in SP 800-171 because they are not directly related to protecting CUI, are adequately addressed by other related controls, or are otherwise not applicable: PII Processing and Transparency (PT), Program Management (PM), and Contingency Planning (CP). 

How to comply with NIST 800-171

NIST 800-171 compliance is designed to protect CUI from unauthorized disclosure in nonfederal systems and organizations. As such, it is mandatory for federal contractors, vendors, and service providers that store or share CUI for DoD.

Failure to comply can lead to contract termination, suspension or debarment from contractor status, and fines. 

To help you avoid these consequences, follow the tips below to comply with NIST 800-171, 

1. Assess your current security posture against NIST 800-171 requirements.

The first step in complying with NIST 800-171 is to conduct a thorough assessment of your organization’s current security measures. 

To start, determine where CUI resides and how it flows within your systems. Then, evaluate your existing security controls against the recommended requirements outlined in NIST 800-171 to identify any gaps. Finally, assess the risks associated with each identified gap to prioritize remediation efforts.

2. Develop a System Security Plan (SSP) that details how each control is implemented.

A System Security Plan (SSP) is a formal document that describes the NIST 800-171 security requirements for your information system and what security controls are in place or planned for meeting those requirements. In other words, an SSP outlines your organization’s approach to implementing and managing NIST 800-171 requirements. 

Any security requirements that have not been implemented yet must be documented separately. 

3. Create a Plan of Action and Milestones (POA&M) for addressing any deficiencies.

A POA&M is a document that describes when and how any unimplemented and/or vulnerable NIST 800-171 security requirements will be met. It should include the following components:

• Deficiency/risk description: Clearly describe each security requirement that has not been implemented and associated risks to not meeting that control.
• Remediation plan: Outline the specific tasks required to address each deficiency.
• Milestones: Schedule completion dates for completing each remediation action.
• Resource allocation: Identify the resources (e.g., personnel, budget, tools) required to implement the remediation actions.

4. Implement the necessary controls and practices to meet the requirements and protect CUI.

Once you have a clear understanding of the gaps and a plan to address them, the next step is implementing controls to meet all NIST 800-171 requirements. This involves several activities, including:

• Develop or update organizational policies to align with NIST 800-171 requirements.
• Implement technical safeguards such as encryption, multi-factor authentication, and secure access controls.
• Implement physical access controls to secure areas where CUI is processed or stored.
• Conduct regular training sessions to ensure all employees understand the importance of security controls and their specific responsibilities.
• Establish continuous monitoring practices to ensure controls are functioning effectively. This includes regular system scans, log reviews, and vulnerability assessments.

5. Conduct regular assessments and updates to maintain compliance.

Maintaining compliance with NIST 800-171 is an ongoing process. Regular assessments and continuous improvements are necessary to adapt to new risks and changes in your organizational environment.

Maintaining NIST 800-171 compliance requires the following:

• Performing periodic assessments: Conduct periodic assessments to review the effectiveness of implemented controls and identify areas for improvement, using the assessment procedures and methodology described in NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Assessments can be conducted as independent, third-party assessments or as government-sponsored assessments led by system developers, system integrators, auditors, system owners, or the security staff of organizations.
• Keeping the SSP and POA&M up-to-date: Regularly update your System Security Plan and Plan of Action and Milestones to reflect any changes in your systems or processes.
• Using data to make continuous improvements: Use findings from assessments to implement lessons learned and adopt best practices to continuously improve your security posture.
• Staying informed of NIST 800-171 changes: Keep abreast of updates to NIST 800-171 guidelines and other relevant cybersecurity standards. Adapt your controls and practices as needed to remain compliant.

By following these steps, your organization can effectively achieve and maintain compliance with NIST 800-171, ensuring the security and confidentiality of CUI in your systems and organization.

For more guidance on what steps you need to complete and track on your journey to NIST 800-171 compliance, use the checklist below.

NIST 800-171 compliance checklist

Achieving compliance with NIST 800-171 involves a structured approach that encompasses a range of activities from initial assessment to ongoing monitoring. Download this detailed checklist to guide your organization through the compliance process to help protect CUI in your organization.

NIST 800-171 vs 800-53

NIST 800-171 and NIST 800-53 are both guidelines developed by NIST, but they serve different purposes. NIST 800-53 provides a broader and more comprehensive set of controls designed for federal information systems. In contrast, NIST 800-171 is a derivative of NIST 800-53 that specifically focuses on protecting CUI in nonfederal systems. It is tailored to be less burdensome for contractors who do not require the full suite of controls in NIST 800-53.

CMMC vs NIST 800-171

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework introduced by the DoD to enhance the cybersecurity of contractors within the Defense Industrial Base (DIB). CMMC is based on NIST 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.700 series clauses. CMMC also has a verification component, requiring third-party assessments to ensure compliance. CMMC is typically pursued by any companies and contractors that are working or want to work in the DIB.

The latest version of CMMC, CMMC 2.0, is structured into three maturity levels, with each level building upon the previous one. The previous version of NIST 800-171, Revision 2, aligns closely with CMMC Level 2 and remains the standard of reference for DIB contractors for the time being. 

NIST SP 800-171 DoD assessment

The DoD has established a specific assessment methodology for evaluating the implementation of NIST 800-171 for contractors with contracts containing DFARS clause 252.204-7012. These assessments take place once every three years. 

The NIST SP 800-171 DoD Assessment consists of three levels of assessments, each of which result in a different confidence level. 

1. Basic: The contractor conducts a self-assessment of NIST 800-171 compliance based on a review of its SSP. This results in a confidence level of “Low.”
2. Medium: Trained DoD personnel conduct an assessment of a contractor’s NIST 800-171 compliance based on a review of its SSP. This results in a confidence level of “Medium.”
3. High: At this level, a contractor conducts a basic assessment and submits results to the DoD. Additionally, trained DoD personnel conduct an assessment of the contractor’s NIST 800-171 compliance based on a thorough on-site or virtual examination of the contractor’s SSP and implementation of the NIST SP 800-171 security requirements. This results in a confidence level of “High.”

For each assessment, contractors are scored based on the number of NIST 800-171 requirements they have met. The summary level score for basic assessments completed by the contractor and for medium and high assessments conducted by DoD are then posted in the Supplier Performance Risk System (SPRS). This helps the DoD enter into strategic partnerships with contractors and subcontractors that have proven they’ve provided ‘adequate security’ to safeguard covered defense information.

Simplify NIST 800-171 compliance with Secureframe

Secureframe can help automate the manual work required to achieve and maintain NIST 800-171 compliance, starting with the gap analysis. Once you integrate the relevant softwares and tools you use every day, you can see exactly what you need to do to comply with NIST 800-171 requirements based on your unique configurations and IT infrastructure. As you work through the framework and complete activities within the Secureframe platform, it will update showing your progress percentage toward NIST 800-171 compliance.

To help further reduce the time and costs associated with achieving and maintaining NIST 800-171 compliance, Secureframe offers:

• Federal compliance expertise: A dedicated support team with former FISMA, FedRAMP, and CMMC auditors and consultants who can guide you through federal readiness, audits, and compliance updates
• Integrations to federal clouds: Automatic evidence collection from existing tech stack, including government cloud variants like AWS GovCloud
• Prebuilt and custom policies, procedures, and templates: Templated policies, procedures, and SSPs customizable to meet needs and additional templates including Separations of Duties Matrix, POA&M documents, Impact Assessments, and readiness checklists
• In-platform training: Proprietary employee training that meets federal requirements including insider threat and role-based training, and is reviewed and updated annually by compliance experts
• Role-based access controls: Data access controls based on roles and need-to-know basis
• Custom controls and tests: Support for organizationally-defined implementations for NIST 800-53 and other frameworks
• Trusted partner network: Relationships with certified Third Party Assessment Organizations (3PAOs) and CMMC 3PAOs (C3PAOs) supporting various federal audits
• Cross-mapping across frameworks: Automated mapping of compliance efforts across multiple frameworks for efficiency so you’re never starting from scratch
• Continuous monitoring: 24/7 monitoring to alert you of non-conformities, and risk Register and vulnerability scanning support for continuous monitoring and POA&M maintenance

To learn more about how Secureframe can help you comply with NIST 800-171, schedule a demo.