NIST 800-171 FAQ

Estimated reading: 3 minutes 1278 views

All organizations using CUI, meaning government agencies, government contractors, and government subcontractors, must comply with NIST 800-171.

CUI data is broken into 20 different categories, with these organization and index groupings broken into numerous subcategories. A list of categories gives you greater insight into whether your organization deals with CUI.

The list was curated from the government registry site

  1. Critical Infrastructure
  2. Defense
  3. Export Control
  4. Financial
  5. Immigration
  6. Intelligence
  7. International Agreements
  8. Law Enforcement
  9. Legal
  10. Natural and Cultural Resources
  11. North Atlantic Treaty Organization (NATO)
  12. Nuclear
  13. Patent
  14. Privacy
  15. Procurement and Acquisition
  16. Proprietary Business Information
  17. Provisional
  18. Statistical
  19. Tax
  20. Transportation

The NIST 800-171 documentation supplies a list of the following controls, along with the corresponding compliance requirements:

  1. Access controls: Who has access to data and whether or not they’re authorized 
  2. Awareness and training: Your staff is adequately trained on CUI handling.  
  3. Audit and accountability: Know who’s accessing CUI and who’s responsible for what.
  4. Configuration management: Follow guidelines to maintain secure configurations.
  5. Identification and authentication: Manage and audit all instances of CUI access.
  6. Incident response: Data breach preparedness and response plan protecting CUI
  7. Maintenance: Ensure ongoing security and change management to safeguard CUI.
  8. Media protection: Secure handling of backups, external drives, and backup equipment
  9. Physical protection: Authorized personnel only in physical spaces where CUI lives.
  10. Personnel security: Train your staff to identify and prevent insider threats.
  11. Risk assessment: Conduct pen testing and formulate a CUI risk profile. 
  12. Security assessment: Verify that your security procedures are in place and working. 
  13. System and communications protection: Secure your communications channels and systems.
  14. System and information integrity: Address new vulnerabilities and system downtime.

There are some steps to take when implementing NIST 800-171:

  1. CUI inventory
    The first step toward implementing NIST 800-171 requirements is identifying which systems and solutions in your network store or transfer CUI. When you identify these systems, focus specific attention on their security. Which systems can hold CUI?
  2. CUI classification
    Locate the systems and solutions in which CUI is stored and split the data into two categories – data that falls under the umbrella of controlled unclassified information and data that does not. While it’s important to keep all your data secure, start by protecting the most sensitive data first. In the event of an audit, it’s most important that CUI is protected and that you’re able to demonstrate that you have done so. You can always return to your data security efforts later to implement measures that protect all data, not just CUI alone. By categorizing your data, you limit the amount of time and effort required to secure CUI.
  3. Implement the gaps and controls
    After locating and separating CUI from non-sensitive data, implement the controls needed to encrypt all files, both in transit and at rest.
  4. Monitor your data
    Implementing NIST 800-171 requirements and training your employees is only the first step. You also need to monitor who is accessing your CUI and for what purpose. You need to adopt a solution that has the ability to record all user activities. To be NIST 800-171 compliant, ensure that every action is traceable back to an individual user. Train administrators to oversee the monitoring process and create procedures around monitoring that work best for your business.
  5. Ongoing Security Assessment
    Conduct a security assessment, looking closely at all your systems and processes to identify the potential for noncompliance risk. Make sure that this assessment is done on a regular basis, either quarterly or annually, to ensure that current processes will continue to protect CUI.

Join the conversation