Submitted by on
Home> Guides> Governance> NIST Special Publication (SP) 800-171

Home > Federal Contract Information

NIST Special Publication (SP) 800-171

Share this Page

Let’s jump in and learn:

What Is NIST Special Publication 800-171?

NIST SP 800-171 is for protecting Controlled Unclassified Information (CUI) in non-Federal systems and organizations. All non-federal computer systems, including those used by third parties, partners, and contractors, must adhere to NIST SP 800-171 to safeguard CUI that is processed, transmitted, or stored through their system(s). NIST SP 800-171 was created to provide a framework for protecting CUI shortly after the Federal Information Security Modernization Act (FISMA) was enacted.

NIST SP 800-171 standardizes cybersecurity across all CUI to ensure it is adequately protected from threats, such as ransomware attacks and hacking.
What Is Controlled Unclassified Information (CUI)?

CUI is sensitive information that belongs to the federal government. Government agencies or contractors can create CUI, which requires safeguarding or dissemination controls to protect it. Examples of CUI include:

Designs and specifications
Electronic files
Email attachments
Emails
Paper documents
Proprietary information

The NIST SP 800-171 framework establishes a minimum standard of cybersecurity controls that contractors and partners need to implement. According to the National Institute of Standards and Technology (NIST), the purpose of NIST SP 800-171 is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI:

1. When the CUI is resident in a non-federal system and/or organization 

2. When the non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency

3. Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry

Among the many federal agencies and organizations that require NIST SP 800-171 compliance are:

  • Consulting companies with federal contracts
  • Contractors for the U.S. Department of Defense (DoD)
  • Contractors for the General Services Administration (GSA)
  • Contractors for the National Aeronautics and Space Administration (NASA)
  • Manufacturing companies that supply goods to federal agencies
  • Service providers for federal agencies
  • Universities and research institutions that are supported by federal grants

What Is the Difference Between NIST 800-53 and NIST 800-171?

800-53 and NIST 800-171?

NIST SP 800-53NIST SP 800-171
Audience● Federal agencies
● Sub-contractors, including vendors, suppliers, and contractors that access federal IT or operate IT systems on behalf of an agency
● State and local governments with access to federal information that manage federal programs like student loans, unemployment insurance, or Medicare/Medicaid
● Non-Federal entities who store or process CUI in their network(s)
● A wide range of government contractors and subcontractors across the public sector supply chain. For example, compliance with NIST SP 800-171 is a contractual requirement for companies that work with NASA, the Department of Defense (DoD), or the General Services Administration (GSA)
LevelsThree control baselines for low, moderate, and high-impact systemsModerate baseline as standard
PurposeSet forth guidelines and security controls to protect information systems and sensitive informationSet forth guidelines and security controls to protect CUI
Controls20 control families, more than 1,000 controls, and control enhancements

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Assessment, Authorization, and Monitoring
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response (IR)
9. Maintenance
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Personnel Security
15. Personally Identifiable Information (PII) Processing and Transparency
16. Risk Assessment
17. System and Services Acquisition
18. System and Communications Protection
19. System and Information Integrity
20. Supply Chain Risk Management		14 control families, 110 security requirements 

1. Access Controls
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Physical Protection
10. Personnel Security
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

What Is the Difference Between NIST SP 800-171 and 800-172?

NIST SP 800-172 includes all of the control requirements of NIST SP 800-171, plus enhanced controls designed to address sophisticated advanced persistent threats or APTs. While NIST SP 800-171 is a requirement for every contract that involves handling of CUI, NIST SP 800-172 security requirements are only applicable when mandated by a federal agency in a contract, grant, or other agreement. 24 NIST SP 800-172 requirements also apply to CMMC Level 3, in the CMMC Final Rule from the U.S. DoD. 

Organizations required to comply with NIST SP 800-171 and NIST SP 800-172 include those that process CUI or provide services for critical government programs and thus need to be compliant, such as:

  • Federal service providers of financial, cloud, or communications systems
  • Research institutions processing or storing high-risk CUI as part of their research projects
  • Service providers processing CUI for critical industries like energy, manufacturing, healthcare, or defense

NIST SP 800-171 and NIST SP 800-172 are made up of 14 control families and contain the same 110 control requirements. However, NIST SP 800-172 includes 35 additional security requirements for protecting CUI's confidentiality, integrity, and availability in non-federal systems. 

Among the control requirements included in NIST SP 800-172 are multi-factor authentication (MFA) and basic security training requirements that are expanded to include coverage of social engineering, advanced persistent threat actors, data breaches, and suspicious behavior, and the need to perform threat-hunting activities in the organization’s IT environment. 

These are enhanced security requirements that are selected to provide the foundation for a multi-dimensional, defense-in-depth protection strategy that includes mutually supportive and reinforcing components, such as:

  • Penetration-resistant architecture
  • Must-use technology and procedures to limit opportunities for an adversary to compromise the company’s system(s)
  • Damage-limiting operations
  • Need to detect exploits and limit the effects of detected and undetected system compromises
  • Cyber-resiliency and survivability design
  • Need to anticipate, withstand, and recover from cyber-attacks

How Many Controls Does NIST SP 800-171 Have?

NIST SP 800-171 contains 14 control families with 110 security requirements).

1. Access Controls

2. Awareness and Training

3. Audit and Accountability

4. Configuration Management

5. Identification and Authentication

6. Incident Response

7. Maintenance

8. Media Protection

9. Physical Protection

10. Personnel Security

11. Risk Assessment

12. Security Assessment

13. System and Communications Protection

14. System and Information Integrity

How Does CMMC Relate to NIST?

The U. S. Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) to assess and enhance the cybersecurity posture of contractors who provide goods and services to the DoD. CMMC is a collection of cybersecurity requirements associated with three certification levels. 

Depending on the type of information a contractor manages, the DoD obligates them to prove their cyber maturity at the appropriate level. NIST SP 800-171 Rev. 2 (which is the basis for CMMC Level 2 compliance) was developed in coordination with private and public contractors and other cybersecurity stakeholders to establish cybersecurity standards across industries to ensure consistency in CUI protection. 

CMMC draws from the NIST SP 800-171 and NIST SP 800-172 publications for much of the criteria for CMMC Levels 2 and 3. CMMC also contains components of NIST SP 800-53.

.

NIST SP 800-171 Protects CUI to Bolster National Security

National adversaries target CUI, because it has fewer controls than classified information. When aggregated, CUI poses significant risk to national security. NIST SP 800-171 standardizes cybersecurity across all CUI to ensure it is adequately protected from threats, such as ransomware attacks and potential hacking.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.

Last Updated: 22nd November, 2024

Share this Page

Get started with Egnyte.

Request Demo

Additional Resources

CMMC 2.0 Compliance Checklist

Learn critical steps to prepare for your CMMC assessment, along with common pitfalls to avoid

Read Now

It's Official: The DoD's Latest CMMC Ruling & What You Need to Do Now

Learn how the CMMC 2.0 proposed rule will impact your organization

Watch Now

Take the Final Step to CMMC 2.0 Compliance

Join Egnyte’s CMMC Community for specialized webinars and a CMMC checklist

Learn More

The Future of CMMC 2.0 Compliance

Current Lay of the Land: CMMC 2.0 Compliance

Read Now

 
Contents
  1. What Is Considered Federal Contract Information?
  2. What Is the Difference Between Federal Contract Information and CUI?
  3. FCI vs. CUI Comparison Chart
  4. What Are the Three Types of Federal Contracts?
  5. Know the Rules for Handling Federal Contract Information