Back To Top

De-Mystifying NIST SP 800-171

Traditionally, when people think of National Institute of Standards and Technology (NIST) publications, they think of documents that apply strictly to federal government entities or contractors supporting the federal government. However, NIST also releases publications designed for organizations in the private sector as well.

IT-Related NIST Publications

Under the NIST umbrella is the Information Technology Laboratory (ITL) whose purpose is to “promote the US economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure.” ITL is responsible for developing tests, test methods, reference data, proof of concept implementations, and technical analyses to support the development and use of information technology. Basically, that means that NIST (and more specifically ITL) is responsible for developing baseline requirements for federal information systems. As part of that mission, ITL publishes the Special Publication (SP) 800-series of documents designed to report on ITL’s research and guidance in the IT realm. This series provides information to both federal and private sector entities on everything from data encryption methodologies to media sanitation guidelines and beyond.

Special Publication 800-171

The publication in the 800 series I wanted to talk about here is the NIST SP 800-171 Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. This document was originally written and published as a response to an executive order signed in 2010 directing federal agencies to find more effective ways to protect the confidentiality of CUI. More specifically, this document includes a roadmap for organizations outside of the federal government that transmit, process, or store CUI in some capacity to comply with federal guidelines on information confidentiality.

The document is broken down like all NIST special publications into front information (abstract of document purpose), chapters including the meat of the subject matter, and several supplemental appendices. It can be hard to wade through all of that, but the gist of what you need to look at if you’re an organization attempting to implement the requirements is in Chapter 3. This chapter lays out the requirements in the following 14 families/subject areas:

Control Families

Access Control

Media Protection

Awareness & Training

Personnel Security

Audit & Accountability

Physical Protection

Configuration Management

Risk Assessment

Identification & Authentication

Security Assessment

Incident Response

System & Comm. Protection


System & Information Integrity

The control families are derived from another NIST publication: FIPS 200 Minimum Security Requirements for Federal Information and Information Systems. The controls in that document targeted toward protecting information confidentiality are used as the basic control framework for 800-171. Since the FIPS 200 basic controls tend to be pretty vague, like most control frameworks, NIST fleshed out the high level basic controls with what they call “derivative controls” that are taken from NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. These controls are more specific and dialed in enough to be actionable; however, the controls are left open enough to be scalable to larger or smaller organizations. For example, a larger organization may have the capacity to do vulnerability scans monthly, while a smaller organization may only have the capacity to do them quarterly. Both timeframes are acceptable under the 800-171 requirements because both organizations are doing scans periodically based on individual capabilities.

The appendices of the document include a reference section, a glossary of common terms used throughout the document (sort of a decoder ring for those of us not used to dealing with esoteric government terminology), control mappings between CUI security requirements and other common assessment frameworks, and 800-53 tailoring criteria that provides a visual understanding of why certain 800-53 controls were not included as derivative controls in 800-171.

Who Does It Apply To

This document is applicable to government contractors and sub-contractors storing, transmitting, or processing federal government information determined to be of a sensitive nature (CUI).

What It is Not

This document is not intended to be used to address the integrity or availability of CUI, it is only intended to describe controls that will protect the confidentiality of that information.


The federal government has recognized that agencies are relying more on external service providers for specialized processing, storage, or transmission services related to CUI. NIST 800-171 was designed to provide those agencies with a sense of comfort that those service providers will be handling CUI in similar way to the agencies themselves. If you’re interested in learning more about how to start the NIST 800-171 compliance process, feel free to contact us. We would love to talk to you!

Additional Light Reading Resources

Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.

Learn more about Laura