January 16, 2019

    Protecting Controlled Unclassified Information: NIST 800-171

    The U.S. government is reliant on contractors and subcontractors for special projects. As such, unclassified defense information, or Controlled Unclassified Information (CUI), is often shared with these partners. Though this information is not classified, it will still be sensitive information that should only be accessed by approved parties.

    This is where NIST (National Institute of Standards and Technology) 800-171 comes in. These are a set of guidelines for secure handling of CUI, especially as it pertains to where this information is stored. Contractors may not use federal data storage systems, but it’s still essential that the solutions they do use align with NIST standards.

    By providing a set of guidelines, this ensures that all government agencies, their contractors, and their subcontractors are on the same pages as it relates to data protection. NIST 800-171 acts as a unifying standard for any organization that houses CUI.

    The Fundamentals of NIST 800-171

    NIST 800-171 was established to create guidelines that federal and non-federal organizations could follow to keep data protected. These requirements are not intended to impose a greater than necessary burden on non-federal organizations who use CUI. However, they are comprehensive guidelines for ensuring data is secure through a cybersecurity framework.

    As part of the NIST 800-171 security requirements, guidelines are broken down into 14 categories, or families, which will be explored below. Think of each of these families as an umbrella under which numerous security guidelines are covered.

    Under each of these families, you’ll find basic security requirements and derived security requirements. Basic requirements are the high-level, fundamental guidelines that help you build a foundation of security. The derived guidelines supplement the basic guidelines, filling gaps that may or may not exist in your security policies or efforts.

    NIST 800-171 Requirements

    Each family of guidelines holds recommendations for how organizations should process, store, and transmit CUI. Before we take a closer look at each family and the high-level guidelines that fall under them, it’s important to note that if you want additional security recommendations, you can find them in the publication NIST 800-53. This publication holds advice and supplemental steps you can take to protect CUI.

    Now, let’s look at the security requirements outlined by each NIST 800-171 family.

    Access Control

    How will you limit access to your CUI storage and sharing system? This family of security controls discusses how you should limit not only access to your solution, but also how users are permitted to use your solution.

    Of the 22 derived recommendations, there are a few specific ones you should pay attention to:

    • You should limit the number of unsuccessful login attempts someone can make.

    • CUI on mobile devices should be protected.

    • Remote access sessions should be monitored and controlled.

    • Wireless access should be protected and encrypted.

    • You should use approved cryptographic methods to protect remote access sessions.

    Awareness and Training

    Your entire team must be engaged in the CUI protection process to ensure it remains secure. This means all employees – both top-level users like managers and systems administrators, and general employees alike – should be aware of the security risks that could threaten your systems, and they should be trained in how to mitigate these risks.

    The derived recommendation under this family is that security training should also include information on how to detect and report a suspected threat from within your own organization. This is an essential measure, considering it’s estimated that nearly 75% of security breach incidents are the result of an insider threat.

    Audit and Accountability

    For audit purposes, it’s vital that you keep logs of user access and activity on your file-sharing solution. You should be able to trace the unique activities of each user. This can help you identify the source of a data breach, if needed.

    Configuration Management

    Only select users need the privileges to alter your system configuration. Establishing and maintaining system configurations – like hardware, software, firmware, and documentation – is essential for protecting your system. System configuration settings on your users’ devices should be established and enforced, too.

    Identification and Authentication

    Before any user is granted access to the solution you use to store CUI, you should verify their identity. At a minimum, this requires the user to enter their username and password.

    In the derived requirements, NIST 800-171 recommends using multi-factor authentication (MFA), which is the use of a one-time passcode (OTP) sent to the user’s phone or email address. This OTP code is input in conjunction with the user’s login credentials. Other derived requirements include enforcing password complexity requirements, banning the reuse of old passwords, and more.

    Incident Response

    You should establish and test your incident response processes. A data breach, despite your best efforts, can still occur. Thus, you need a way to prepare, detect, and contain a breach when it happens. You also need recovery methods to ensure no valuable data is lost.


    To ensure the ongoing protection of CUI, regular maintenance should be performed on your systems. The personnel or subcontractor performing the maintenance should have limited access to your information storage solution. One of the derived requirements points out that any equipment should be sanitized of all CUI before being transported off your organization’s premises.

    Media Protection

    Any media storing CUI should be properly protected when in use and sanitized when it is no longer in use.

    Personnel Security

    Employees should be thoroughly screened and vetted prior to being granted CUI access. CUI must also be protected in times of employee transfer or termination.

    Physical Protection

    Physical access to you CUI storage solution is just as important as the digital security measures you adopt. The facility where your data infrastructure is housed needs to be located in the United States and monitored and protected at all times. The protections outlined in this section also apply to a subcontractor if you’re using a secure hosted file-sharing solution. The secure file-sharing host you choose needs to align with these physical protection guidelines for their facility.

    Risk Assessment

    To maintain preparedness, you should periodically assess your systems for potential vulnerabilities, and take steps to address these risks.

    Security Assessment

    In addition to assessing risk, you must also assess whether or not your security controls are able to withstand sophisticated threats. While system-wide assessments should be made regularly, you should also take steps to assess your systems on an ongoing basis. In addition to assessing your security controls, you should update your security plans to reflect any changes that may arise.

    System and Communications Protection

    You need to protect all communications regarding CUI. Any information transmitted or received by your systems should be monitored, controlled, and protected. Use architectural designs, software development techniques, and systems engineering principles to protect communications within your systems.

    One key derived requirement is that you should prevent any unauthorized and unintended information transfers using your system. Cryptographic measures should be employed to protect your entire information system, including mobile device uses and VoIP (Voice over Internet Protocol) technologies.

    System and Information Integrity

    When a cybersecurity incident occurs, you must identify, report, and contain it as quickly as possible. As part of this, you should have security measures in place to protect against malicious code. This is a common way hackers attempt to infiltrate secure systems.

    Some derived measures suggested under this control family include regularly updating security software and perform periodic scans of your system for potential issues. You should make sure your cloud service providers (CSP) do the same.

    It’s important that your organization take each of these high-level security themes into account. You should also create a system security plan and describe how your organization intends to meet each of these guidelines. This plan should describe:

    • Your system boundaries

    • Your operational environment

    • How you are implementing security requirements

    • The relationships with or connections to your other systems

    If following all of these security guidelines seems like a lot of work, you’re correct. That’s why many companies turn to secure file sharing solutions to help them get the job done. These solutions have many of these security measures already built into their system. So, the minute you start using the solution, you’re already in alignment with NIST 800-171 standards. When you adopt a secure file sharing solution, you’re able to meet these standards with minimal effort from your team.

    Find out more about Sharetru’s file sharing solutions, designed to meet government compliance standards.

    Tag(s): Government

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts