NIST 800-171 FAQ
All organizations using CUI, meaning government agencies, government contractors, and government subcontractors, must comply with NIST 800-171.
CUI data is broken into 20 different categories, with these organization and index groupings broken into numerous subcategories. A list of categories gives you greater insight into whether your organization deals with CUI.
The list was curated from the government registry site
- Critical Infrastructure
- Defense
- Export Control
- Financial
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural and Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Nuclear
- Patent
- Privacy
- Procurement and Acquisition
- Proprietary Business Information
- Provisional
- Statistical
- Tax
- Transportation
The NIST 800-171 documentation supplies a list of the following controls, along with the corresponding compliance requirements:
- Access controls: Who has access to data and whether or not they’re authorized
- Awareness and training: Your staff is adequately trained on CUI handling.
- Audit and accountability: Know who’s accessing CUI and who’s responsible for what.
- Configuration management: Follow guidelines to maintain secure configurations.
- Identification and authentication: Manage and audit all instances of CUI access.
- Incident response: Data breach preparedness and response plan protecting CUI
- Maintenance: Ensure ongoing security and change management to safeguard CUI.
- Media protection: Secure handling of backups, external drives, and backup equipment
- Physical protection: Authorized personnel only in physical spaces where CUI lives.
- Personnel security: Train your staff to identify and prevent insider threats.
- Risk assessment: Conduct pen testing and formulate a CUI risk profile.
- Security assessment: Verify that your security procedures are in place and working.
- System and communications protection: Secure your communications channels and systems.
- System and information integrity: Address new vulnerabilities and system downtime.
There are some steps to take when implementing NIST 800-171:
- CUI inventory
The first step toward implementing NIST 800-171 requirements is identifying which systems and solutions in your network store or transfer CUI. When you identify these systems, focus specific attention on their security. Which systems can hold CUI? - CUI classification
Locate the systems and solutions in which CUI is stored and split the data into two categories – data that falls under the umbrella of controlled unclassified information and data that does not. While it’s important to keep all your data secure, start by protecting the most sensitive data first. In the event of an audit, it’s most important that CUI is protected and that you’re able to demonstrate that you have done so. You can always return to your data security efforts later to implement measures that protect all data, not just CUI alone. By categorizing your data, you limit the amount of time and effort required to secure CUI. - Implement the gaps and controls
After locating and separating CUI from non-sensitive data, implement the controls needed to encrypt all files, both in transit and at rest. - Monitor your data
Implementing NIST 800-171 requirements and training your employees is only the first step. You also need to monitor who is accessing your CUI and for what purpose. You need to adopt a solution that has the ability to record all user activities. To be NIST 800-171 compliant, ensure that every action is traceable back to an individual user. Train administrators to oversee the monitoring process and create procedures around monitoring that work best for your business. - Ongoing Security Assessment
Conduct a security assessment, looking closely at all your systems and processes to identify the potential for noncompliance risk. Make sure that this assessment is done on a regular basis, either quarterly or annually, to ensure that current processes will continue to protect CUI.
