What is NIST 800-171?

As computing platforms and technologies are ubiquitously deployed worldwide and systems and components are increasingly interconnected through wired and wireless networks, the susceptibility of Controlled Unclassified Information (CUI) to loss or compromise grows.

The purpose of NIST 800-171 is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a non-federal information system and with organizations such as contractors.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.

Who needs to follow NIST 800-171?

The standard is applicable to any prime contractor or sub-contractor who works on government projects, where it is highly likely they have access to CUI and therefore need to implement the necessary controls as per this standard.

NIST 800-171 security requirements fulfilled using e-Safe Compliance

NIST 800-171 organises the security requirements into fourteen families. e-Safe Compliance is an information security solution that helps companies monitor and secure sensitive information such as CUI.

The chart below lists the families and mentions which requirements are fully or partially managed by e-Safe Compliance.

SECURITY REQUIREMENT FAMILIES

ENSURING COMPLIANCE USING E-SAFE COMPLIANCE

Access Control

Full Compliance.  e-Safe Compliance provides the required access control on CUI.

Awareness and Training

Partial Compliance. e-Safe Compliance helps to fulfil the required security risk awareness among staff.

Audit and Accountability

Full Compliance. e-Safe Compliance has powerful reporting and auditing capabilities, which provide clear forensic evidence to support an investigation.

Configuration Management

Partial Compliance. e-Safe Compliance fulfils the configuration baselining requirements; however, the requirement also relates to taking action when gaps are identified, which is a manual task.

Identification and Authentication

Not Applicable. The security control is about having an appropriate identity and access management system in place.

Incident Response

Full Compliance. e-Safe Compliance offers complete tracking of CUI and incident response capabilities, which includes case management workflow.

Maintenance

Not Applicable.

Media Protection

Full Compliance. e-Safe Compliance offers extensive media protection capabilities.

Personnel Security

Partial Compliance. e-Safe Compliance fulfils the requirement of monitoring the users.

Physical Protection

Not Applicable. 

Risk Assessment

Full Compliance. e-Safe Compliance helps to automate many facets of risk and security assessment. It includes an automated risk register. The risk report from e-Safe Compliance becomes an integral part of closing any security gaps in the company.

Security Assessment

System and Communications Protection

Partial Compliance. This security requirement is mostly related to network configuration and information flows within the network. e-Safe Compliance offers partial compliance to this requirement by fulfilling the cryptographic requirements for CUI.

System and Information Integrity

Not applicable – This requirement is mainly to do with correcting application flaws such as a vulnerability in a company’s ERP system or having the appropriate anti-virus/anti-spam software installed.

We usually find at least 1 confirmed data leak per 100 users.

Discover how much of your data is at risk, for free, within just a couple of hours!