NIST SP 800-171: Protect Sensitive CUI Data


The responsibility for securing highly sensitive US federal information — including national security information — does not fall on the federal government alone. Anyone who touches this data is responsible for its protection.

Contractors, subcontractors, and other third parties and vendors that work with federal agencies like the United States Department of Defense (DoD) commonly handle sensitive government data called controlled unclassified information (CUI). These contractors are responsible for adhering to the National Institute of Standards and Technology Special Publication 800-171, or NIST SP 800-171 framework.

What Is NIST SP 800-171?

The National Institute of Standards and Technology — which has issued numerous standards in addition to 800-171 in the century-plus that it has been around — is a non-regulatory agency under the US Department of Commerce. Its stated mission is to “promote US innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

The 800-171 framework defines a set of best practices for non-government entities to secure CUI and maintain effective cybersecurity programs. Many compliance laws, regulations, and requirements — like the Cybersecurity Maturity Model Certification, or CMMC — align closely with the NIST SP 800 framework.

What Is CUI (Controlled Unclassified Information)?

CUI is defined as “information the government creates or possesses or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

More directly, CUI is government data that, while not classified, is still sensitive and therefore requires special security controls and safeguards.

There are a lot of types of CUI. The National Archives and Records Administration (NARA) has defined 20 categories and 124 subcategories of CUI that must be protected. These categories include data in critical infrastructure, defense, export control, finance, international affairs, law enforcement, patents, transportation, legal and nuclear policies and procedures — and many more.

Why Does CUI Need Safeguarding?

While the ubiquitous spy-thriller catchphrase of “that’s classified” may carry more pop culture weight than its “unclassified” counterpart, a whole lot of unclassified data is still highly sensitive. Breaches of unclassified data can disrupt economic and national security programs and procedures, leading to potentially disastrous consequences to organizational operations, financial assets, and individuals.

Furthermore, the loss or improper protection of CUI can have a direct impact on national security — and cybersecurity threats facing the federal government and DoD are steadily on the rise, whether they’re due to leaks, espionage, or negligence.

Companies that do not comply with NIST 800-171 to effectively safeguard CUI face the consequences of rapidly canceled contracts, lawsuits, fines, and reputational damage.

NIST SP 800-171 Standards and Requirements

NIST 800-171 has 110 security requirements — or controls — that are divided into 14 groups — or families. Each family helps DoD contractors apply necessary security controls and self-assess their security programs. The 14 families are:

1. Access Control

22 requirements to safeguard the flow of sensitive information within networks and systems — and protect access to those networks and systems.

2. Awareness and Training

3 requirements to ensure that system administrators, users, and employees know the cybersecurity risks that they face — and are trained in security procedures.

3. Audit and Accountability

9 requirements for auditing and analyzing system and event logs — including recording, storing, and reviewing records.

4. Configuration Management

9 requirements to configure hardware and software across systems and networks, prevent unauthorized software installation, and restrict nonessential programs.

5. Identification and Authentication

11 requirements to identify authorized users, monitor password procedures and policies, and enforce distinctions between privileged and non-privileged access.

6. Incident Response

3 requirements to ensure that capabilities are in place to detect, contain, and recover data for a variety of cybersecurity incidents — plus test these capabilities.

7. Maintenance

6 requirements to determine best practices around network maintenance procedures — and make sure they are performed regularly and by authorized parties.

8. Media Protection

9 requirements to establish best practices for management or deletion of sensitive data and media — both physical and digital.

9. Personnel Security

2 requirements to safeguard CUI associated with personnel and employees — first, to screen individuals before they access sensitive data, and second, to terminate or transfer authorization.

10. Physical Protection

6 requirements to control physical access to CUI, including visitor access to worksites, hardware, devices, and equipment.

11. Risk Assessment

2 requirements for organizations to regularly scan their systems for vulnerabilities, keep network devices and software updated and secure, and otherwise regularly perform risk assessments.

12. Security Assessment

4 requirements to ensure that plans to safeguard CUI remain effective by developing, monitoring, renewing, and reviewing system controls and security plans and procedures.

13. System and Communications Protection

16 requirements to monitor systems that transmit information, restrict the unauthorized transfer of information, and enact best practices around encryption policies.

14. System and Information Integrity

7 requirements to monitor the ongoing protection of systems within the organization, including processes for identifying unauthorized use and the performance of system security alerts.

Who Does NIST SP 800-171 Apply To?

Most contractors and subcontractors working anywhere in the federal supply chain understand their need to be NIST-compliant or go home. The DoD works with these third-party companies in many essential capacities — and that work requires the sharing of sensitive data. Common types of government contractors include:

  • Defense contractors
  • Financial organizations
  • Healthcare organizations
  • Colleges and universities
  • Science and research institutes
  • Web, communication, and tech providers

This is by no means an exhaustive list. Implementing NIST SP 800-171 is necessary for any and all companies handling CUI. It’s the game you have to play if you want to contract with the feds.

How Do You Become NIST SP 800-171 Compliant?

Many DoD contractors need to become not only NIST compliant but also adhere to the CMMC. According to CMMC 2.0 updates and enhancements announced in November 2021, certification requirements vary depending on the sensitivity of the CUI a company handles.

To start, organizations need to evaluate their security programs in terms of access controls, risk management, an incident response plan, and more. 110 controls may sound like a lot, but BigID’s automated, ML-based security capabilities have organizations covered when it comes to NIST SP 800-171 — and CMMC 2.0 — compliance.

Look to BigID for: deep and wide data classification functionality that includes NLP, fuzzy classification, and graph technology; automated risk scoring that measures risk based on a variety of data types; file access intelligence that identifies overexposed data and overprivileged users; a breach data app that simplifies incident response following a breach; and much more.

With the deepest data discovery foundation out there, BigID can help any company find and protect all their high-risk, regulated CUI; proactively reduce risk on their most sensitive data; remediate, retain, or discard sensitive government information; and ultimately bring their security programs up to NIST compliance standards.

Set up a quick demo to learn more about how to secure CUI with BigID — and land more of those big government contracts.