Organizations that work with the government are accustomed to the rules and regulations regarding information labeled secret, top secret, or classified.
But some data and information that doesn’t fall into those categories is still sensitive and needs to be handled with care to protect it from people with questionable or malicious intent.
More than 10 years ago, the National Institute of Standards and Technology (NIST) issued a special publication (known as NIST 800-171 or NIST SP 800-171). This publication provides a framework for protecting controlled unclassified information (CUI).
This article will explain what constitutes CUI, identify the 14 control families outlined in NIST 800-171, and explore what each control means.
I’m writing this article because although it has been around for many years, we still get asked what NIST 800-171 involves and what companies need to do to be compliant.
We want business leaders to have easy access to the information they need to ensure compliance with government regulations.
What Is CUI?
The National Science Foundation (NSF) defines CUI as information the government owns or creates, or that a firm or organization possesses or creates for the government, that needs to be safeguarded and protected using the information security controls required under current government laws, regulations and policies.”
The NSF goes on to say that “although CUI isn’t classified information, the federal government has determined that it needs to be protected because its malicious release poses a threat to national security.”
Examples Of CUI
Many types of information fall into the CUI category. These include, but are not limited to:
1. Personally Identifiable Information (PII)
In general terms, PII is information that can be used to identify a particular individual. This includes driver’s license number, patient identification number, social security number, and financial account or credit card numbers.
2. Proprietary Business Information (PBI)
According to lawinsider.com, PBI includes any and all confidential and/or proprietary knowledge, data and information of a company that is either marked as PBI or should reasonably be understood to be PBI.
This includes customer and employee lists, intellectual property, pricing lists, marketing and pricing tools and information, business plans and budgets, manufacturing data, research and development information, and policies.
3. Unclassified Controlled Technical Information (UCTI)
The Department of Energy defines UCTI as:
"technical data or computer software (as defined in Defense Federal Acquisition Regulation Supplement 252.227-7013) with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination."
4. Sensitive, But Unclassified (SBU) Information
The U.S. Department of State identifies SBU as information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons.
There are more than 100 labels for SBU information, including: For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Security Information (SSI), and Limited Official Use (LOU).
Again, this is not an exhaustive list, but does provide a sense of the types of information considered CUI.
Who Needs To Comply With NIST 800-171?
Government contractors, subcontractors, and suppliers who need access to CUI must implement, verify compliance, and create security protocols for the 14 key areas identified in NIST 800-171.
What Are The 14 Controls Identified In NIST 800-171?
The 14 controls identified in NIST 800-171 are:
1. Access Control
Who is authorized to access this data, and what permissions (read-only, read and write, etc.) do they have?
What It Means:
Establish system access requirements. Control internal system access. Control remote system access. Limit data access to authorized users and processes.
2. Awareness and Training
Are users properly trained in their roles involving how to properly secure this data and the systems it resides on?
What It Means:
Conduct security awareness and training activities for employees on a regular basis. This will help keep cybersecurity top of mind for users and teach them how to identify and report emerging threats.
3. Audit and Accountability
Are accurate records of system and data access and activity kept and monitored? Can violators be positively identified?
What It Means:
Define audit requirements. Perform audits. Identify and protect audit information. Review and manage audit logs.
4. Configuration Management
How are your systems standardized? How are changes monitored, approved, and documented?
What It Means:
Establish configuration baselines. Perform configuration and change management.
5. Identification and Authentication
How are users positively identified prior to obtaining access to this information?
What It Means:
Grant access to authenticated entities only.
Multi-factor authentication (MFA) is one way to verify user identity because it requires more than one piece of identification before allowing access to systems and devices.
Related article: What Is Multi-Factor Authentication? Do I Need It?
6. Incident Response
What processes are followed when security events, threats, or breaches are suspected or identified?
What It Means:
Monitor devices and systems, so you can detect, and remediate incidents. Proactively develop and implement a response plan to be used when an incident is identified. Practice using your plan so that it will be seamless when an incident occurs. Perform post-incident reviews. Test incident response.
Related article: What Are The Key Components Of An IT Disaster Recovery Plan?
7. Maintenance
How is information secured and protected against unauthorized access during maintenance activities?
What It Means:
Manage maintenance. This can mean physical maintenance to your office building or infrastructure maintenance that is performed by external partners.
8. Media Protection
How are electronic and hard copy records and backups stored securely?
What It Means:
Identify, protect, and control media. Sanitize media. Protect media during transport. Backup data regularly and store it remotely to ensure access during an incident and practice retrieving recent backups so when disaster strikes you are ready.
Related article: Data Backups Are Key To Disaster Recovery
9. Physical Protection
How is unauthorized physical access to systems, equipment, and storage prevented?
What It Means:
Limit physical access to your servers and devices.
Make sure employees lock their devices when they aren’t in use and consider implementing a mobile device management tool that allows remote access, monitoring, support, and secure management of devices, which can be critically important when you want to wipe or lock devices that are lost or stolen.
Related article: Why Should I Lock My Work Computer And How Does It Protect My Company?
10. Personnel Security
How are individuals screened prior to granting them access to CUI?
What It Means:
Perform appropriate background checks during the hiring process depending on the kinds of information employees will access. Different roles may require different levels of screening.
Protect CUI during personnel actions; in other words when an employee leaves immediately revoke credentials, so they are no longer able to access CUI.
11. Risk Assessment
How are business risks and system vulnerabilities associated with handling this information identified, tracked, and mitigated?
What It Means:
Identify, evaluate, and manage risk using tools like penetration tests and vulnerability scans. Manage supply chain risk.
Related article: What’s The Difference Between A Vulnerability Scan & Penetration Test?
12. Security Assessment
How effective are current security standards and processes? What improvements are needed?
What It Means:
Develop and manage a system security plan. Define and manage controls. Perform code reviews. Evaluate and update your processes regularly.
Related article: Testing Your IT Disaster Recovery Plan: Best Practices
13. System and Communications Protection
How is information protected and controlled at key internal and external transmission points?
What It Means:
Define security requirements for systems and communications.
For example, your most sensitive information should be protected behind multiple layers of firewalls.
Related article: What Is a Business, Commercial, or Enterprise Firewall? Do I Need One?
In addition, spam filtering software and protection can help keep your inbound and outgoing electronic correspondence safe.
Anti-spam filters check your email against industry-standard and your specifically defined criteria for spam and virus controls.
Items that fail these checks are quarantined and not delivered to reduce dangerous and unnecessary email and prevent the distribution of malware, spam, and viruses to your contacts.
14. System and Information Integrity
How is CUI protected against such threats as software flaws, malware, and unauthorized access?
What It Means:
Install software updates and patches quickly to ensure your systems and network are protected against the latest threats. Identify and manage information system flaws. Identify malicious content. Perform network and system monitoring. Implement advanced email protections.
Consider using an anti-malware tool to protect against attacks that would penetrate standard antivirus software.
Anti-malware defends before, contains during, and helps remediate after an incident. It constantly tracks programs, so you know exactly what’s running where and when across your endpoints and sends alerts if a program suddenly turns malicious.
Each of these 14 control families is further defined by specific processes or practices against which your company will be evaluated.
How Difficult Is It To Become NIST 800-171 Compliant?
The process for becoming compliant with the NIST 800-171 standards may take a significant amount of time to implement (at least 6 months), but given the cost of non-compliance, it is well worth the effort.
And, if you don't have the internal resources to handle it, you can always look to an experienced external IT support provider for support.
Achieving NIST 800-171 compliance may require diving deep into your networks and procedures to ensure appropriate protections are in place. (This is in addition to the layers of general cybersecurity protection your organization already has in place.)
What’s The Bottom Line?
After reading this article, you have a complete understanding of the 14 NIST 800-171 control families and what they mean. You’ve learned about CUI and seen some examples of the kinds of information it includes.
At this point, you may or may not know whether NIST 800-171 is required of your business. The button below will provide a tool you can use to assess whether NIST compliance is necessary.
Whether contractually obligated or not, I’d encourage any organization to explore the NIST 800-171 special publication as it provides a thorough framework for enhancing organizational security.
Wondering if your current cybersecurity solutions will measure up to the latest threats? Use the button below for a cybersecurity assessment tool you can use to identify potential gaps.
If you are feeling overwhelmed and just want to talk to a human, we get it!
The button below will connect you to a simple form. Provide your name and telephone number and one of our IT solutions experts will reach out to schedule a 15-minute call to learn about your current technology situation, pain points, and goals. (No sales pitch; just a conversation.)
