NIST 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.
What is NIST 800-171?
- Helps clarify the role of third parties in data breach incidents.
- Provides guidance on the types of data to protect and the kinds of protections to apply.
- Is especially helpful for private sector firms.
NIST SP 800-171 was designed specifically for NON-FEDERAL information systems — those in use to support private enterprises.
NIST 800-171, it is intended to help "non-federal entities":
- Comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches.
- Provides a standardized and uniform set of requirements for all CUI security needs, tailored to non-federal systems
- Allows non-federal entities to comply with, and consistently implement, safeguards for the protection of CUI.
- Addresses common deficiencies in managing and protecting unclassified information to include inconsistent markings and inadequate safeguarding.
NIST 800-171 Key Assumptions That Impact Scoping
NIST 800-171 states that contractors may limit the scope of the CUI security requirements to CUI systems and/or components.
Isolating CUI into its own security domain may be the most cost-effective and efficient approach for non-federal organizations to satisfy requirements and protect CUI confidentiality.
To isolate CUI:
- Apply architectural design principles that implement subnetworks with firewalls or other boundary protection devices
- Employ physical separation, logical separation, or a combination of both for secure domains
Learn more about other NIST Compliances: