What Are the NIST SP 800-171 Requirements?

Article NIST Framework
Cybersecurity NIST Controls


NIST SP 800-171, a NIST Special Publication, outlines suggested measures to safeguard the confidentiality of controlled unclassified information (CUI). Compliance with NIST SP 800-171 is mandatory for organizations handling or storing CUI, including the Department of Defense, universities/research institutions that receive federal grants, and service providers to government agencies.

Learn more about each of the NIST SP 800-171 control families by checking out each post in our NIST SP 800-171 series:

  1. Access Control
    Access control comprises two primary elements: authentication and authorization. Authentication verifies the identity of an individual, while authorization decides if that user has permission to access the requested data.
  2. Awareness and Training
    All staff members, employees, temporary staff, as well as third-party vendors and contractors who have access to your workspace, should undergo information security awareness training. This is crucial to safeguard your organization from potential threats and ensure the security of your operations.
  3. Audit and Accountability
    Thorough and precise system logging can help prevent and minimize the effects of a possible data breach.
  4. Configuration Management
    These controls establish the necessary security levels to uphold when implementing different system modifications.
  5. Identification and Authentication
    It is essential for your system to verify the identity of all users before granting access.
  6. Incident Response
    Create a process for managing operational incidents in organizational systems and report any incidents to designated officials, whether they are internal or external to the organization.
  7. Maintenance
    Establish a schedule and procedures for regular maintenance of your organizational systems.
  8. Media Protection
    The controls set guidelines for safeguarding media and specify permitted storage devices, authorized personnel for accessing and sharing media, and approved methods for media disposal.
  9. Personnel Security
    Screen individuals before granting access to organizational systems that hold CUI.
  10. Physical Protection
    Restrict access to organizational systems, equipment, and their operating environments to authorized personnel only.
  11. Risk Assessment
    Organizations must regularly evaluate the risk to their operational activities, assets, and individuals engaged in handling, storing, or transmitting CUI.
  12. Security Assessment
    Periodically evaluate the security controls in organizational systems to ensure their efficacy.
  13. System and Communications Protection
    This ensures the protection of any data sent or received by an organization at both the external and internal boundaries of systems.
  14. System and Information Integrity
    Maintain the integrity of systems and any data processed, stored, or transmitted within your organization.

The CampusGuard team is available to assist your organization with the NIST SP 800-171 compliance requirements. Contact us to get started.


About the Author
Kathy Staples

Kathy Staples

Marketing Manager

Kathy Staples has over 20 years of experience in digital marketing, with special focus on corporate marketing initiatives and serving as an account manager for many Fortune 500 clients. As CampusGuard's Marketing Manager, Kathy's main objectives are to drive the company's brand awareness and marketing strategies while strengthening our partnerships with higher education institutions and organizations. Her marketing skills encompass multiple digital marketing initiatives, including campaign development, website management, SEO optimization, and content, email, and social media marketing.