NIST SP 800-171

NIST SP 800-171 defines how to protect and distribute Controlled Unclassified Information (CUI), which is not strictly regulated by the federal government but is sensitive and requires safeguarding. 

NIST SP 800-171 applies to anyone who processes, stores, or transmits CUI for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal and state agencies. It includes contract agencies.

 

NIST SP 800-171 controls

NIST SP 800-171 combines FIPS 200 and NIST SP 800-53. It contains 110 security controls across the following 14 categories: 

 

  • Access Control

  • Awareness and Training

  • Audit and Accountability

  • Configuration Management

  • Identification and Authentication

  • Incident Response

  • Maintenance

  • Media Protection

  • Personnel Security

  • Physical Protection

  • Risk Assessment

  • Security Assessment

  • System and Communications Protection

  • System and Information Integrity

Compliance requires a self-assessment against all 110 controls, a system security plan (SSP) describing how the security requirements are met, plus plans of action and milestones (POA&M).

NIST SP 800-171 compliance is currently required by some Department of Defense contracts. Therefore, non-compliance could result in immediate contract termination. Importantly, if a contractor claims to be compliant with SP 800-171 and they are not, it could result in criminal fraud.

CyGov delivers streamlined, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring to meet the NIST SP 800-171 requirements. CyGov has mapped NIST SP 800-171 back to its control inventory allowing to share data across multiple frameworks through the platform, which creates time savings, money savings and more accurate data. Through the CyGov platform organizations can gain full visibility to their cyber risk levels and compliance.

Background footer new.png

Follow Us

Group 9703@2x.png
Group 9705@2x.png

© 2020 by CyGov Tech