NIST SP800-171, often known as 800-171, is a definition of the standards that any non-Federal computer system must meet in order to store, process, or transmit Controlled Unclassified Information (CUI) or to provide security protection for such systems. This paper is based on the Moderate level standards of the Federal Information Security Management Act of 2002 (FISMA).
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, focuses on information exchanged by federal agencies with non-federal entities.
The publication, issued by the National Institute of Standards and Technology (NIST), went into effect on January 1, 2018. It serves as a guide for federal agencies to ensure that Controlled Unclassified Information (CUI) is protected when processed, stored, and used in non-federal information systems.
CUI is information that is not classified and first originated as a phrase when federal agencies wanted to manage the massive volumes of unclassified information processed by contractors and service providers.
Access control, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity are the 14 families of security requirements.
To comply with nist 800-171 checklist businesses must first determine if they are receiving and using CUI, as well as where data is being kept. This entails conducting a thorough audit of corporate networks and data flows, beginning with staff computers and concluding with third-party contractors with whom an organization may be collaborating.
Tools like Data Loss Prevention systems, which allow enterprises to scan their entire corporate networks based on certain file types, predetermined content, file names, Regular Expressions, or compliance profiles for standards like NIST 800-171, can help with data identification.
Data should be classified.
Once CUI has been recognized, it must be split into the groups to which it belongs. NIST 800-171 lists twenty acceptable CUI categories, including information about vital infrastructure, military, patents, privacy, and other topics. Each category has its own set of requirements that must be met, thus it is critical that CUI be classified appropriately.
Companies must ensure that staff are aware of and understand NIST 800-171 compliance requirements once a security strategy has been developed. Organizations must educate all employees on the necessity of obeying security standards and the repercussions of noncompliance. They should also clarify which policies are most relevant to particular departments and ensure that any policy changes are disclosed to staff as soon as possible.