What is NIST 800-171?

NIST 800-171 is a security standard created by the National Institute of Standards & Technology. It outlines a standard set of security controls that should be in place to protect Controlled Unclassified Information (CUI) for non-federal agencies. 

Who Must Follow NIST 800-171?

NIST 800-171 targets non-federal agencies or contractors (or other organizations with access to federal data) whose systems contain controlled unclassified information (CUI) that needs to remain confidential.

Controlled unclassified information is information owned or created by the government which is sensitive but not classified. CUI can come in digital or physical form. Some examples of CUI are personally identifiable information (PII) such as legal material or health documents, intellectual property, or technical data and blueprints.

Penetration Testing Consultant

The 14 Points of NIST 800-171 Compliance

In order to comply with NIST 800-171, companies who need access to CUI must implement security protocols for 14 areas.

  1. Access Control: Who will be able to view the data?
  2. Awareness and Training: How will people be trained to properly handle this data? 
  3. Audit and Accountability: Will there be tracking of authorized and unauthorized access that can identify violators?
  4. Configuration Management: How will networks and safety protocols be built and documented?
  5. Identification and Authentication: What users will be approved to access CUI and how are they verified prior to granting them access?
  6. Incident Response: What will the process be for response and notification to a security threat or breach?
  7. Maintenance: How often will routine maintenance be handled and who is responsible for this? 
  8. Media Protection: Will electronic and hard copy records and backups be stored in secure locations? Who will have access?
  9. Physical Protection: Who will have access to the systems, equipment, and storage environments?
  10. Personnel Security: How will employees be screened prior to gaining access to CUI? 
  11. Risk Assessment: What risk assessment measures will be taken to ensure security, and how often?
  12. Security Assessment: Are processes and procedures effective? Are improvements needed?
  13. System and Communications Protection: Will information be regularly monitored and controlled at key internal and external transmission points?
  14. System and Information Integrity: How quickly will possible threats be detected, identified, and corrected?
Cyber Security Consulting For Small and Medium Enterprises

Getting Started With NIST 800-171

A good first step for starting with NIST 800-171 compliance is to locate and identify any Controlled Unclassified Information that is stored or transferred using your systems or solutions. From there you can categorize the CUI and implement necessary controls. 

If you have further questions about complying with NIST 800-171, Red Lion is here to help. Offering NIST 800-171 assessment and compliance services, our compliance professionals will help guide you and your organization to compliance. Click below to contact us and let us know how we can lend a helping hand.

Red Lion NIST 800-171 Assessment & Compliance Services

Do you still have questions regarding NIST 800-171? With Red Lion's NIST 800-171 assessment and compliance services, you'll have a dedicated NIST compliance expert to help you understand and achieve NIST 800-171 compliance, regardless of complexity.

Contact Us Today

Other Regulations & Services That You May Be Interested In:


Federal Risk and Authorization Management Program


Critical Infrastructure Protection
Translate »