NIST 800-171

NIST 800-171


NIST stands for the National Institute of Standards and Technology. NIST 800-171 is a standard of procedures and controls required for contractors or subcontractors to work with Department of Defense (DoD). NIST 800-171 was created to ensure that secure information was kept secure and to help protect Controlled Unclassified Information (CUI). This is used in Non- Federal Information Systems and Organizations. NIST 800-171 is a way to better cybersecurity needs, while allowing the Federal Government to feel at ease knowing that they can continue their business plans. There are in total 110 controls of NIST 800-171.

vector graphic banner art BCG blue

Need NIST 800-171 Compliance? We Can Help!

What Is Considered CUI?

Controlled Unclassified Information is basically information that is important to the United States of America, but is not necessarily controlled or monitored by the government. This information needs controls that describe its required safekeeping. This information needs to be "consistent with the applicable law, regulations and government- wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act." Every agency is required to make CUI categories/ subcategories and explain why they are CUI that are available to the public.

Benefits of Being NIST 800-171 Compliant

There are several benefits of becoming NIST 800-171 compliant. First and foremost, this is required, therefore being compliant allows your company to continue to work with the DoD and other governmental agencies. This will also result in winning new Federal contracts as well. Having compliance means that your own company is secure, which means less risk of becoming breached. This is an overall win-win situation.

Becoming NIST 800-171 Compliant

Vendors had to become NIST compliant by December 31, 2017. Any vendor who wishes to deal with Controlled Unclassified Information, i.e. stores, transmits, and/or processing of this information must become compliant. Not being compliant can result in loss of contracts or loss of reputation for your company. These controls that are set up in 800-171 are security controls that verify your company's reliability and safety. NIST 800-171 has 14 sections, which contain the 110 controls. These 14 sections are listed below:

Access Control

This would look into which employees are able to view key information

Awareness & Training

This verifies if the employees who do have access are trained to handle the information

Audit & Accountability

This verifies who does and does not have access

Configuration Management

This shows how the safety procedures are built and implemented

Identification & Authentication

This will show CUI verification of employees

Incident Response

This will outline what to do in case of attack or breach


This shows when maintenance will be occurring.

Media Protection

This shows how electronics and media forms are stored safely and securely

Physical Protection

This lists who has access to physical types of storage

Personnel Security

This will explain the prior procedures of processing who is allowed to view CUI

Risk Assessment

This will show the risks of the controls or the people viewing them

Security Assessment

This provides information on how effective the safety is and shows if more or less is needed

System & Communication Protection

This verifies that CUI is monitored with very close care at both internal and external areas

System & Information Integrity

This shows how fast any threats or attacks are detected and fixed

Learn how Bravo On Demand Can Help With Your Security & Compliance