What Are The 14 Controls Identified In NIST 800-171?

If your organization works with the government as a contractor, subcontractor, or supplier, you are likely familiar with the rules and regulations regarding information labeled secret, top secret, or classified.

But other data and information that doesn’t fall into those categories may still need protection from unauthorized access. This information is referred to as controlled unclassified information or CUI.

More than 10 years ago, the National Institute of Standards and Technology (NIST) issued a special publication known as NIST 800-171 (or NIST SP 800-171). This publication provides a framework for protecting CUI.

Although NIST 800-171 has been around for years, we still get asked what it involves and what companies need to do to be compliant.

This article will explain what CUI is, identify the 14 controls for protecting CUI outlined in NIST 800-171, and explore specific actions you can take to satisfy the requirements.

What Is CUI?

The National Science Foundation (NSF) defines CUI as:

“information the government owns or creates, or that a firm or organization possesses or creates for the government, that needs to be safeguarded and protected using the information security controls required under current government laws, regulations and policies.”

The NSF goes on to say: 

“...although CUI isn’t classified information, the federal government has determined that it needs to be protected because its malicious release poses a threat to national security.”

Examples Of CUI

Information that falls into the CUI category includes, but is not limited to:

1. Personally Identifiable Information (PII)

PII is information that can be used to identify a particular person, such as:

• • • driver’s license numbers
    • patient identification numbers
    • social security numbers
    • financial account numbers
    • credit card numbers

2. Proprietary Business Information (PBI)

PBI includes a company’s confidential and/or proprietary knowledge, data and information.

Examples include:

• • • customer and employee lists
    • intellectual property
    • pricing lists
    • marketing and pricing tools and information
    • business plans and budgets
    • manufacturing data
    • research and development information
    • policies

3. Unclassified Controlled Technical Information (UCTI)

The Department of Energy defines UCTI as:

"technical data or computer software (as defined in Defense Federal Acquisition Regulation Supplement 252.227-7013) with military or space application … subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination."

4. Sensitive, But Unclassified (SBU) Information

The U.S. Department of State identifies SBU as information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons.

There are more than 100 labels for SBU information, including: For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Security Information (SSI), and Limited Official Use (LOU).

Although this is not an exhaustive list, it provides a broad understanding of the many categories of CUI.

What Are The 14 Controls In The NIST 800-171 Framework?

The 14 controls identified in NIST 800-171 are designed to help organizations safeguard their data and information systems. They include:

1. Access Control

Who is authorized to access data, and what permissions (read-only, read and write, etc.) do they have?

What To Do:

Establish system access requirements. Control internal system access. Control remote system access. Limit data access to authorized users and processes.

2. Awareness and Training

Are users properly trained in their roles involving how to properly secure this data and the systems it resides on?

What To Do:

Conduct security awareness and training activities for employees on a regular basis. This will help keep cybersecurity top of mind for users and teach them how to identify and report emerging threats.

3. Audit and Accountability 

Are accurate records of system and data access and activity kept and monitored? Can violators be positively identified?

What To Do: 

Define audit requirements. Perform audits. Identify and protect audit information. Review, store, and manage audit logs.

4. Configuration Management

How are your systems standardized? How are changes monitored, approved, and documented?

What To Do: 

Establish configuration baselines. Perform configuration and change management.

5. Identification and Authentication

How are users positively identified prior to obtaining access to this information?

What To Do: 

Grant access to authenticated entities only.

Implement multi-factor authentication (MFA) which requires users to provide more than one piece of identification before logging in to systems and devices.

Related article: What Is Multi-Factor Authentication? Do I Need It?

6. Incident Response

What processes are followed when security events, threats, or breaches are suspected or identified?

What To Do: 

Use monitoring tools to provide real-time information about devices and systems, so you can detect and remediate incidents and unauthorized access.

Proactively develop and implement a response plan and practice using it, so that you will know exactly what to do and who will do it in the case of an incident. Review and update it regularly to keep it fresh and pertinent.

Related article: What Are The Key Components Of An IT Disaster Recovery Plan?

7. Maintenance

How is information secured and protected against unauthorized access during maintenance activities?

What To Do:  

Manage maintenance with data protection in mind. This can mean physical maintenance to your office building or infrastructure maintenance that is performed by internal or external partners.

8. Media Protection

How are electronic and hard copy records and backups stored and secured?

What To Do: 

Identify, protect, and control media. Protect media during transport. Backup data regularly and store it remotely to ensure access during an incident and practice retrieving recent backups so when disaster strikes you are ready.

Related article: Data Backups Are Key To Disaster Recovery

9. Physical Protection

How does your organization prevent unauthorized physical access to systems, equipment, and storage?

What To Do: 

Limit physical access to your servers and devices. Restrict entry by using a badge reader or biometric scanner. Consider using cameras to monitor everyone entering and leaving restricted areas.

Make sure employees lock their devices when they aren’t in use and consider implementing a mobile device management (MDM) tool that allows remote access, monitoring, support, and secure device management.

MDM can be critically important to wipe or lock devices (phones, laptops, tablets) that are lost or stolen.

Related article: Why Should I Lock My Work Computer And How Does It Protect My Company?

10. Personnel Security

How are individuals screened prior to granting them access to CUI? 

What To Do: 

Perform appropriate background checks during the hiring process depending on the information employees will access. Different roles may require different levels of screening and access.

Protect CUI during personnel actions; in other words immediately revoke credentials when employees terminate employment to restrict access to sensitive information.

11. Risk Assessment

How are business risks and system vulnerabilities associated with handling CUI identified, tracked, and mitigated?

What To Do: 

Identify, evaluate, and manage risk using tools like penetration tests and vulnerability scans. Manage supply chain risk.

Related article: What’s The Difference Between A Vulnerability Scan & Penetration Test?

12. Security Assessment

How effective are current security standards and processes? What improvements are needed?

What To Do: 

Develop and manage a system security plan. Define and manage controls. Perform code reviews. Evaluate and update your processes regularly.

Related article: Testing Your IT Disaster Recovery Plan: Best Practices

13. System and Communications Protection

How is information protected and controlled at key internal and external transmission points?

What To Do:

Define security requirements for systems and communications.

For example, your most sensitive information should be protected behind multiple layers of firewalls.

Related article: What Is a Business, Commercial, or Enterprise Firewall? Do I Need One?

In addition, spam filtering software and protection can help keep your inbound and outgoing electronic correspondence safe.

Anti-spam filters check your email against industry-standard and your specifically defined criteria for spam and virus controls.

Items that fail these checks are quarantined and not delivered to reduce dangerous and unnecessary email and prevent the distribution of malware, spam, and viruses to your contacts.

14. System and Information Integrity

How is CUI protected against such threats as software flaws, malware, and unauthorized access? 

What To Do: 

Install software updates and patches quickly to ensure your systems and network are protected against the latest threats. Identify and manage information system flaws. Identify malicious content. Perform network and system monitoring. Implement advanced email protections.

Consider using an anti-malware tool to protect against attacks that would penetrate standard antivirus software.

Anti-malware defends before, contains during, and helps remediate after an incident. It constantly tracks programs, so you know exactly what’s running where and when across your endpoints and sends alerts if a program suddenly turns malicious.

Each of these 14 control families is further defined by specific processes or practices against which your company will be evaluated. 

What’s The Bottom Line?

After reading this article, you have a complete understanding of the 14 NIST SP 800-171 controls and actions you can take to comply with the requirements. We’ve defined CUI and provided examples to give you a comprehensive overview.

At this point, you may or may not know whether NIST 800-171 is required of your business. The button below will provide a tool you can use to assess whether NIST compliance is necessary.

Whether contractually obligated or not, I’d encourage any organization to explore the NIST 800-171 special publication as it provides a thorough framework for enhancing organizational security.

Already NIST 800-171 compliant? Prepare now for the Department of Defense Cybersecurity Maturity Model Certification (CMMC) , the next step in compliance for government contractors, subcontractors, and suppliers.