NIST 800-171: Understanding Its Importance to Your Cybersecurity

NIST 800-171: Understanding Its Importance to Your Cybersecurity

The careful, meticulous, and deliberate handling of sensitive or important data is critical to organizations' success in today's ever-evolving cyber environment. When information is so quickly and readily available, exchanged, or processed at lightning speed, there are bound to be vulnerabilities when human interaction is involved. Thus, a detailed plan regarding processes and procedures of how to deal with and mitigate potential threats is crucial.

However, when you add the federal government and Controlled Unclassified Information (CUI) into the mix, the importance of cybersecurity for a company working with this type of data grows exponentially.
What exactly is CUI? Any information that is considered sensitive in nature to the U.S.'s interest but not regulated by the federal government.

According to, "32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO (Information Security Oversight Office) to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency."

What is NIST 800-171?

How does an organization begin to protect itself from cyberthreats when handling CUI? The National Institute of Standards and Technology (NIST) offers a standard that lays out a roadmap for protecting and handling CUI or other sensitive information.

Its genesis was facilitated roughly 18 years ago, at least in part, by several cyberattacks perpetrated against well-known government institutions, such as the USPS and NOAA. For specific government agencies like the Department of Defense (DoD) or NASA, a revised version of NIST 800-171 compliance took effect only four years ago, making it a requirement for anyone who works with CUI to implement processes and protocols to secure the handling of this data.

In other words, within a company that works with these federal institutions, any employee that handles, processes, is responsible for its storage, or who disseminates it, must follow the specific guidelines and procedures in NIST 800-171 compliance laid out in the standard. This includes organizations that have contracted with the likes of the DoD or NASA.

What Does It Take to Become NIST-800-171 Compliant?

Since the world of cybersecurity is always evolving, the journey to NIST 800-171 compliance requires diligence and a focused time commitment. There are 14 significant points or aspects of the NIST 800-171 standard to consider as the process of compliance begins:

  • Access Control - Focuses on monitoring all access points in an IT environment. 
  • Awareness and Training - Providing managers, employees, administrators, and any other users with training on their work's cyber risks.
  • NIST Audit and Accountability - Keep, collect, and review cybersecurity audit logs for the detection of unauthorized activities.
  • Configuration Management - Establish a baseline of configurations to control any changes made to a company's systems.
  • Identification and Authentication - Identify users and devices within an organization's network.
  • Incident Response - Allows an organization to swiftly respond to any incident that could cause a data breach.
  • Maintenance - Calls for the regular performance of vigilant system maintenance.
  • Media Protection - Security of all system media that contains CUI, in both digital and paper form.
  • Physical Protection - Protection requirements for physical damage to hardware, software, and any data loss due to physical events.
  • Personnel Security - Protection of systems that contain CUI after personnel events like employee terminations or transfers.
  • Risk Assessment - Evaluation of potential risks to IT and critical systems or applications within an organization.
  • Security Assessment - Review and assessment of security controls in place to determine effectiveness.
  • System and Communication Protection - Monitoring and protecting information that is being transmitted or received by IT systems.
  • System and Information Integrity - Protecting data from malicious code.

How Do You Get Started?

The Smithers Quality Assessments Division is committed to and ready to support your company's initiatives in becoming NIST 800-171 Compliant and improving your cybersecurity protocols. For more insights, please take a look at our NIST 800-171 overview guide below, or if you have any questions, reach out to our cybersecurity expert.

Contact us today to learn more about our services and download our NIST Companion Guide below:

Download our NIST Companion Guide below:


How can we help?

Show Policy

Learn More

Latest Resources

See all resources