Kezia Farnham

Senior Manager

NIST 800-171 checklist, requirements & controls for a more robust compliance program

In 2021, the average data breach cost $1.93 million, a staggering 79% increase from 2021. Though breaches impacting governmental agencies don’t always rack up these same costs, they’re still expensive to mitigate, reputationally damaging and could even threaten national security. That’s where NIST 800-171 comes in and tools like an NIST 800-171 checklist can help.

The National Institute of Standards and Technology (NIST) is a U.S. federal agency responsible for managing how third parties, partners and contractors handle government information. More specifically, the NIST 800-171 is a guiding document that tells defense contractors and subcontractors how to manage controlled, unclassified information (CUI), including personal data, logistics plans and any other confidential, defense-related intel.

Our NIST 800-171 checklist aids organizations in identifying security requirements, determining what controls exist and understanding how they can help protect defense information through an effective compliance program.

Here’s everything governmental agencies and their partners need to know to get started.

What Is NIST 800-171?

NIST 800-171 is a document that, along with NIST 800-53, tells contractors, subcontractors and other non-federal organizations how to store and handle CUI. While NIST is a non-regulatory agency, any organization that processes, stores or transmits CUI must be NIST 800-171 compliant. NIST 800-171 also applies to any organizations that are federal contractors or who partner with federal contractors.

NIST 800-171 reaches back to 2010 when President Obama signed Executive Order 13556. This order mandated that all government agencies better protect CUI to fight back against several federal-level breaches around that time. The executive order called for a more unified cybersecurity policy for all governmental agencies and their partners.

What Is the Purpose of NIST 800-171?

Governments handle countless different types of information, from personal contact and account information to plans for operations in foreign countries. At its core, the purpose of NIST 800-171 is to standardize how all federal agencies and their partners define CUI and then outline standards these organizations should follow when processing, storing or handling CUI.

Compliance with this standards requires that organizations meet a minimum standard for specific cybersecurity and privacy controls. Some federal contracts might stipulate additional cybersecurity requirements, but even in their absence, organizations must always meet or exceed the requirements of NIST 800-171.

What Are NIST 800-171 Requirements?

NIST 800-171 contains 14 requirements for processing, storing and handling CUI. The requirements range from controlling which users can access which data to the integrity of the information system to the training users receive, all of which are intended to standardize how government agencies handle sensitive information.

The following is the NIST 800-171 controls list and requirements:

• Access controls: verifies whether or not a user is authorized to access data
• Awareness and training: staff should receive initial and ongoing training on handling data
• Audit and accountability: understand how data is stored, which users are authorized to access that data and who is responsible for information security
• Configuration management: ensure security features are properly configured
• Identification and authentication: audit and manage how the system identifies and authenticates each user
• Incident response: prepare a response plan for breaches of CUI data
• Maintenance: continuously monitor and upgrade security to protect CUI
• Media protection: establish a secure process for handling all tools and equipment
• Physical protection: ensure only authorized personnel can access physical spaces where CUI is stored
• Personnel security: train your staff so they can identify and report threats
• Risk assessment: develop a risk profile for CUI breaches and evaluate the current level of risk
• Security assessment: audit security procedures to verify their effectiveness
• System and communications protection: secure any and all data transmissions
• System and information integrity: verify that the system has no vulnerabilities in security and information processes

How Many Controls Does NIST 800-171 Have?

NIST 800-171 has 110 controls organized across 14 control families, which we detailed in the above NIST 800-171 Requirements section. These 110 controls are then mapped to different standards and policies, all of which organizations must follow to be compliant.

NIST 800-171 Checklist

With 14 control families, 110 controls and more than 300 control objectives, implementing this rigorous standard can seem daunting. Though it can help to either use governance and compliance technology or consult a professional, a good NIST 800-171 checklist can help distill the 72-page guidelines into actionable steps that will help any organization get on track.

To implement NIST 800-171, organizations should:

1. Identify CUI: Organizations only have to follow NIST 800-171 if they’re storing or otherwise handling CUI, which means the first step is identifying whether or not the organization actually works with CUI. Doing so requires auditing all of the organization’s information systems and processes, including computers and third-party contractors — which is critical, given that organizations must be NIST 800-171-compliant if they work with federal contractors in any capacity. 
2. Organize Data: It’s not enough for an organization to know they have data; they must classify it within NIST’s approved CUI categories. It’s important to catalog all data correctly, as each type of CUI has different requirements. 
3. Complete a Security Audit: Before an organization can verify their NIST 800-171 compliance, they must first audit their current cybersecurity strategy to identify what’s working, what’s not and what needs to be improved before it can lead to a breach. 
4. Develop Controls: Use the insights from the audit as well as the CUI categories to develop controls. The controls should fall within NIST 800-171’s control families and be specific to the types of data the organization manages and address any lapses identified during the security audit.
5. Create Documentation: Documentation is the only way organizations can prove that they comply with NIST 800-171. NIST standards require that documentation cover the following areas: system and network architecture, system boundaries, data flow, personnel, process and procedures. This can also provide a lifeline in the event of a breach since organizations can use their documentation to prove that the breach was not a result of negligence. 
6. Establish Response Plans: Breaches can happen to even the most secure organizations. As technology evolves, so does the risk of breach. Organizations should prepare by creating a plan for how they’ll respond to a breach, including updating security protocols. 
7. Deliver Effective Ongoing Training: Employees are a critical part of data security. After all, they’re the ones directly handling CUI, and can flag any lapses during their day to day. Teams can also play an instrumental role in containing any breaches by stopping them before they start or taking notice once they’ve happened. Thorough, continuous training will help employees identify any potential threats and know how to respond. 

The Benefits of NIST 800-171 Compliance

Complying with NIST 800-171 may be a legal requirement, but, in practice, it’s so much more than another compliance box to check. NIST 800-171 applies to all organizations that work with the federal government, meaning that secure data practices enable the federal government to do valuable work. What’s more, CUI is attached to actual people, meaning that compliance also protects the individuals whose data the organization is handling.

Because this data has value, compliance protects the organization financially and reputationally. IBM reported that the average cost of a breach was $1.93 million in 2021, which can significantly impact the company’s bottom line. Should their reputation take a hit, the organization can lose a lot more profit in the long run since the organization may appear less trustworthy in the eyes of the public and in the eyes of potential partners.

Penalties for Non-Compliance

The government can also take action against organizations failing to meet NIST 800-171. Penalties include:

• Damages for breach of contract
• Damages under the False Claims Act
• Termination of the contract and potential loss of contractor status
• Fines and penalties enforced by the government

Easily Monitor and Manage Third Party Compliance

Building an internal culture of compliance can be challenging. But collaborating with third parties can further complicate compliance activities, especially since contractors might be in a different location from the organization or have their own standards for information security.

While our NIST 800-171 checklist can help get you started, Third-Party Compliance from Diligent provides a more robust risk assessment, making compliance even easier. Diligent’s thorough assessment process for all contractors allows organizations to stay ahead of potential ethical and compliance risks, making it even easier to facilitate secure and successful third-party partnerships.