NIST 800-171 Compliance Checklist: Protecting Controlled Unclassified Information (CUI)
The National Institute of Standards and Technology (NIST) produces security standards, practical guides, reports, whitepapers, and bulletins. These currently add up to around 600 publications open to the public. Initially US-focused, NIST standards are now widely used internationally.
The NIST Cybersecurity Framework (CSF), in particular, is a milestone standard that crosses borders and industries. Various other standards stem from this framework, including the NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is currently in its third revision.
Quick questions and answers
What is NIST SP 800-171 about?
SP 800-171 is about protecting controlled unclassified information (CUI) while it is being accessed, processed, transferred, stored, archived, and disposed of. CUI is the only type of information in the scope of the NIST SP 800-171 standard.
What is controlled unclassified information (CUI)?
CUI is an umbrella term encompassing many different information labels that indicate information that is not classified but should be protected. In other words, it covers any information that law, regulation, or government policy requires to have safeguards. Some examples are personally identifiable information (PII), proprietary business information (PBI), unclassified controlled technical information (UCTI), and law enforcement sensitive (LES) information.
Who should seek compliance with NIST SP 800-171?
Any agencies or companies that have contractual arrangements with US federal agencies and process their CUI need to be concerned about compliance.
What are the requirements of NIST SP 800-171?
There are 17 “families” of requirements to protect the confidentiality and, to some extent, integrity of CUI in nonfederal systems and organizations. These requirements contain detailed guidance and additional observations or recommendations for each.
NIST SP 800-171 logo (source)
NIST 800-171 Compliance checklist
Now that we have gone through some key facts on NIST SP 800-171, let’s make this 100+ pager standard easy to grasp with the summary table below.
Control family* | Requirement | Checkbox |
---|---|---|
3.1 Access Control | Account management | |
Access enforcement | ||
Flow enforcement | ||
Separation of duties | ||
Least privilege | ||
Least privilege—privileged accounts | ||
Least privilege— privileged functions | ||
Unsuccessful login attempts | ||
System use notification | ||
Device lock | ||
Session termination | ||
Remote access | ||
Wireless access | ||
Access control for mobile devices | ||
Use of external systems | ||
External systems—limits and restrictions on authorized use | ||
Publicly accessible content | ||
Account management—inactivity logout | ||
3.2 Awareness and Training | Literacy training and awareness | |
Role-based training | ||
Advanced literacy training | ||
3.3 Audit and Accountability | Event logging | |
Audit record content | ||
Audit record generation | ||
Response to audit logging process failures | ||
Audit record review, analysis, and reporting | ||
Audit record reduction and report generation | ||
Time stamps | ||
Protection of audit information | ||
Audit information access | ||
3.4 Configuration Management | Baseline configuration | |
Configuration settings | ||
Configuration change control | ||
Impact analyses | ||
Access restrictions for change | ||
Least functionality | ||
Authorized software—allowed by exception | ||
User-installed software | ||
System component inventory | ||
Information location | ||
System and component configuration for high-risk areas | ||
3.5 Identification and Authentication | User identification, authentication, and reauthentication | |
Device identification and authentication | ||
Multi-factor authentication | ||
Replay-resistant authentication | ||
Identifier management | ||
Password management | ||
Authentication feedback | ||
Authenticator management | ||
3.6 Incident Response | Incident response plan and handling | |
Incident monitoring, reporting, and response assistance | ||
Incident response testing | ||
Incident response training | ||
3.7 Maintenance | Maintenance tools | |
Nonlocal maintenance | ||
Maintenance personnel | ||
3.8 Media Protection | Media storage | |
Media access | ||
Media sanitization | ||
Media marking | ||
Media transport | ||
Media use | ||
System backup—cryptographic protection | ||
3.9 Personnel Security | Personnel screening | |
Personnel termination and transfer | ||
External personnel security | ||
3.10 Physical Protection | Physical access authorizations | |
Monitoring physical access | ||
Alternate work site | ||
Physical access control | ||
Access control for transmission and output devices | ||
3.11 Risk Assessment | Risk assessment | |
Vulnerability monitoring and scanning | ||
Risk response | ||
3.12 Security Assessment and Monitoring | Control assessments | |
Plan of action and milestones | ||
Continuous monitoring | ||
Independent assessment | ||
Information exchange | ||
Internal system connections | ||
3.13 System and Communication Protection | Boundary protection | |
Separation of system and user functionality | ||
Information in shared system resources | ||
Network communications—deny by default, allow by exception | ||
Split tunneling | ||
Transmission and storage confidentiality | ||
Network disconnect | ||
Cryptographic key establishment and management | ||
Cryptographic protection | ||
Collaborative computing devices and applications | ||
Mobile code | ||
Session authenticity | ||
Internal network communications traffic | ||
System access points | ||
3.14 System and Information Integrity | Flaw remediation | |
Malicious code protection | ||
Security alerts, advisories, and directives | ||
System monitoring | ||
Spam protection | ||
3.15 Planning | Policy and procedures | |
System security plan | ||
Rules of behavior | ||
3.16 System and Services Acquisition | Security engineering principles | |
Unsupported system components | ||
External system services | ||
3.17 Supply Chain Risk Management | Supply chain risk management plan | |
Acquisition strategies, tools, and methods | ||
Supply chain controls and processes | ||
Component disposal |
* Please note that, at the time of writing, NIST 800-171 is in its third revision, which is open to the public. In this revision, these 17 control families are proposed for approval. This is an expansion from version 2, yet to be retired, which lays out 14 control families.
Explanations
While a summary of what each control entails is given below, the full control descriptions can be read directly in the NIST SP800-171, available for free on the NIST official website.
3.1 Access Control
Undoubtedly the most comprehensive control family, access control lies at the core of any security efforts to protect information, CUI in this case. NIST 800-171 requirements for access control include:
- Principles, e.g., “separation of duties” and “least privilege”
- Processes, e.g., account provisioning, maintenance, and disabling; granting associated access rights; and remote access rules
- System policies, e.g., controlling the flow of CUI between systems, limiting login attempts, session timeouts, and enforcing device locks
Additionally, one key requirement in this group is that the public not have access to CUI. Therefore, any information intended for public release should be reviewed and any CUI removed.
3.2 Awareness and Training
As part of any security program, awareness and training activities are required to educate employees on information security risks they can encounter while performing business activities and on the expected actions from their side. The program should include awareness for new team members, job-related security training, and continuous education for all staff. CUI protection must be part of the awareness program.
3.3 Audit and Accountability
Systems used by the company, and especially software that processes CUI, should enable activity logging and monitoring. All event logs must be tied back to a single entity—whether a human or a system—and timestamps should be attached to them. Monitoring, alerting, and reviewing sensitive actions are part of this category.
3.4 Configuration Management
All systems and their components need a baseline configuration that reflects the company’s IT architecture. Configuration parameters should default to the most secure settings (e.g., the minimum functionality needed), and they should be updated in line with the evolution of the company’s landscape and external threats.
3.5 Identification and Authentication
Arguably a part of access control (category 3.1), identification and authentication refer to the collection of procedures and system-enforced controls to access the company’s environment and its systems. These controls apply to requests coming from users to devices, systems, and networks as well as to requests between the systems themselves. Measures here can include multi-factor authentication (MFA), especially for systems that process CUI; replay-resistant techniques, such as challenge/response authenticators; password standards; and cryptography or biometrics authenticators.
3.6 Incident Response
The company must have a documented incident response plan that deals with cybersecurity incidents, which should be tested periodically through walkthroughs and incident simulations. Capabilities for incident response must be defined, whether they are internal, external, or a combination of both. These capabilities must include detection, analysis, containment, eradication, and recovery.
3.7 Maintenance
It is necessary to conduct hardware and software maintenance both routinely and upon a system malfunction. Maintenance tools and personnel should be approved, controlled, and monitored. One other important requirement here is to prevent the removal of equipment containing CUI from the premises for maintenance purposes.
3.8 Media Protection
Media containing CUI should be physically controlled and securely transported and stored. Media containing CUI must also be marked appropriately to indicate distribution and handling limitations. The data should be disposed of when no longer required by using approved sanitization or destruction methods to prevent any CUI data remanence.
3.9 Personnel Security
Processes must be in place for performing personnel background checks before allowing access to systems. Upon termination, access should be revoked immediately, and all security-related system property (e.g., access tokens and badges) retrieved by the organization. External contractors (such as outsourced developers) must comply with the security policies established by the organization.
3.10 Physical Protection
The premises and information processing facilities must be accessed only by authorized personnel. Access should be controlled with individual and auditable access badges. CCTV, intrusion monitoring, and/or human guards may be deployed to manage physical security. All visitors to non-public areas of the company must be authorized and escorted.
3.11 Risk Assessment
Following the classical steps of a risk assessment—identifying threats and vulnerabilities, determining risks, and responding to risks—NIST 800-171 requires companies to focus on unauthorized access and disclosure related to CUI processing, transmission, and storage. The risk response should reduce risks to an acceptable level determined by the company’s risk framework.
Information gathered by Device42’s discovery, asset management, and dependency mapping capabilities can be used to assist in conducting complete risk assessments.
3.12 Security Assessment and Monitoring
This control family refers to examinations of the security control environment through a variety of means. Control testing is a type of internal assessment that verifies the implementation and effective operation of safeguards. Audits are systematic assessments that ensure independent verification. Self-identified issues that stem from regular day-to-day activities must also be registered and treated.
3.13 System and Communication Protection
A combination of preventive, detective, and corrective system and network controls must be implemented to protect CUI data from unauthorized access, disclosure, alteration, or loss. NIST 800-171 requires, among other things, secure architecture principles (such as “default deny,” “least privilege,” and “zero trust”), data encryption during transmission, separation of environments (development, testing, acceptance, and production), network segregation, and session authentication and inactivity controls. Controls must be applied across the environment, whether on-premises, in the cloud, or a mix of the two.
System and communication protection (source)
3.14 System and Information Integrity
System flaws identified through regular assessments (such as vulnerability scans), as a result of incidents, or by receiving third-party security advisories should be remediated as soon as possible through patching, hotfixes, and antivirus signature updates. Systems should be designed to prevent malicious code execution, and protection mechanisms, such as spam filtering, should be implemented on servers and endpoints. Finally, all systems should be monitored through a combination of security tools and capabilities.
3.15 Planning
Though it may seem surprising to find “planning” at this point in the list, this section indicates the need for defining security requirements through policies, controls, and training on acceptable use. Requirements should address the handling of CUI, either through dedicated policies and procedures or specific sections.
3.16 System and Services Acquisition
Many times, you may decide that acquiring a system makes more sense than developing it internally. Acquired software needs to meet security engineering principles and provide assurance that it has security embedded in its design, which will help you avoid introducing vulnerabilities into your environment. Acquired software should always be upgraded to the latest versions, supported, and patched immediately in case of discovered exploits.
3.17 Supply Chain Risk Management
One of today’s most prevalent attack vectors is the supply chain. Weaknesses in a vendor’s application can expose your data if security safeguards don’t meet your internal IT standards. Make sure you formulate security requirements for your third parties early in the engagement process, set service expectations, include exit strategies, and monitor compliance through assurance reports and regular reviews.
How to achieve NIST 800-171 compliance
Now you understand what NIST SP800-171 is focused on and have the checklist of requirements that need to be met. What’s next?
The ideal sequence of implementation steps is not implied by the order of items in the checklist. For example, it would be counterintuitive to start implementing system measures for access control (part of the first family, 3.1) before defining policies and procedures (covered in 3.15).
It is recommended to start building your security framework by looking at the current context of your company. Here are 10 steps you can take to prepare for NIST 800-171 compliance:
- Start with management engagement and commitment to information security.
- Identify how, where, and when you process CUI, so you can define your scope and boundaries. Device42 provides comprehensive IT asset management, enabling you to have an inventory that is always audit-ready.
- Build relevant policies—such as a corporate information security policy, asset management policy, secure development policy, etc.—that include requirements for processing CUI.
- Run a self-assessment of your security posture to identify threats, vulnerabilities, and the impact of potential risks.
- Treat risks and close gaps by implementing all 800-171 requirements applicable to your environment.
- Define lower-level documents: operational procedures, baselines, and guidelines.
- Train people on the acceptable use of information assets, especially those that process CUI.
- Test processes periodically to assess whether controls continue to be adequate.
- Identify control failures and plan for remediation.
- Continue to monitor and improve your security measures.
Key points and summary
NIST 800-171 is not one of the most popular standards, as it narrowly focuses on a specific scope: protecting controlled unclassified information (CUI). However, if your company has any contractual arrangements with federal agencies, you will likely have to implement the requirements it details.
Revision 3 increases the number of control families from 14 to 17, collectively accounting for 109 requirements. These are listed in the NIST 800-171 compliance checklist. These controls range from system security safeguards to security controls for processes and measures for improving personnel security behavior.
End-to-end compliance with NIST 800-171, or any standard for that matter, requires a strategic approach that starts with top-down engagement and continues with self-assessments, policy and process improvement, control implementation, employee awareness, and, finally, continuous improvement of the security posture.
NIST 800-171 compliance starts with identifying where CUI is being processed across your environment. Device42 makes information asset discovery, inventory, and dependency mapping easy. Real-time dashboards of your systems, tools, versions, status, and other critical information help you avoid blind spots in your efforts to secure sensitive data.