A012 - NIST 800-171 Compliance Checklist

NIST NIST 800-171 CUI compliance checklist defense contractors

by SigmaSRC Team

NIST 800-171 Compliance Checklist: A Complete Guide for Contractors

NIST Special Publication 800-171 establishes requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. This comprehensive checklist helps you achieve and maintain compliance.

What is NIST 800-171?

NIST 800-171 is a cybersecurity framework developed by the National Institute of Standards and Technology. It defines 110 security requirements across 14 control families that contractors must implement to protect CUI when working with federal agencies.

Who Must Comply?

  • Defense Industrial Base (DIB) contractors
  • Organizations handling CUI from federal agencies
  • Subcontractors with CUI access
  • Research institutions with federal grants involving CUI
  • Any organization in the federal supply chain

The 14 Control Families

NIST 800-171 organizes requirements into 14 families. Here's what each covers:

1. Access Control (AC) - 22 Requirements

Key Controls:

  • [ ] Limit system access to authorized users
  • [ ] Limit access to types of transactions permitted
  • [ ] Control information flow
  • [ ] Separate duties of individuals
  • [ ] Employ least privilege principle
  • [ ] Use non-privileged accounts for non-security functions
  • [ ] Prevent non-privileged users from executing privileged functions
  • [ ] Limit unsuccessful login attempts
  • [ ] Provide privacy and security notices
  • [ ] Use session lock after inactivity
  • [ ] Terminate sessions after defined conditions
  • [ ] Control remote access
  • [ ] Route remote access via managed access points
  • [ ] Authorize remote execution
  • [ ] Authorize wireless access
  • [ ] Protect wireless access using authentication and encryption
  • [ ] Control mobile device connection
  • [ ] Encrypt CUI on mobile devices
  • [ ] Control CUI on publicly accessible systems
  • [ ] Control connection of external systems
  • [ ] Limit use of portable storage devices
  • [ ] Control CUI posted on external systems

2. Awareness and Training (AT) - 3 Requirements

Key Controls:

  • [ ] Ensure managers and users are aware of security risks
  • [ ] Ensure personnel are trained on security policies
  • [ ] Provide security awareness training on insider threats

3. Audit and Accountability (AU) - 9 Requirements

Key Controls:

  • [ ] Create and retain audit logs
  • [ ] Ensure actions can be traced to individual users
  • [ ] Review and analyze audit logs
  • [ ] Reduce audit information and report on findings
  • [ ] Provide audit reduction and report generation
  • [ ] Provide system time synchronization
  • [ ] Protect audit information
  • [ ] Limit audit log management to authorized users
  • [ ] Alert on audit process failure

4. Configuration Management (CM) - 9 Requirements

Key Controls:

  • [ ] Establish and maintain baseline configurations
  • [ ] Establish and enforce security configuration settings
  • [ ] Track, review, and approve configuration changes
  • [ ] Analyze security impact of changes
  • [ ] Define and enforce physical and logical access restrictions
  • [ ] Employ least functionality principle
  • [ ] Restrict, disable, or prevent nonessential programs
  • [ ] Apply deny-by-exception (blacklisting) policy
  • [ ] Control and monitor user-installed software

5. Identification and Authentication (IA) - 11 Requirements

Key Controls:

  • [ ] Identify and authenticate organizational users
  • [ ] Identify and authenticate devices
  • [ ] Use multi-factor authentication
  • [ ] Use replay-resistant authentication mechanisms
  • [ ] Prevent password reuse for a specified number of generations
  • [ ] Enforce temporary password change at first login
  • [ ] Store and transmit passwords with cryptographic protection
  • [ ] Obscure feedback of authentication information
  • [ ] Use cryptographic module authentication
  • [ ] Manage identification and authentication for non-organizational users
  • [ ] Accept PIV credentials from other agencies

6. Incident Response (IR) - 3 Requirements

Key Controls:

  • [ ] Establish incident handling capability
  • [ ] Track, document, and report incidents
  • [ ] Test incident response capability

7. Maintenance (MA) - 6 Requirements

Key Controls:

  • [ ] Perform maintenance on systems
  • [ ] Provide controls on maintenance tools
  • [ ] Ensure equipment removed for maintenance is sanitized
  • [ ] Check media for malicious code before use
  • [ ] Require multifactor authentication for remote maintenance
  • [ ] Supervise maintenance activities by unauthorized personnel

8. Media Protection (MP) - 9 Requirements

Key Controls:

  • [ ] Protect system media containing CUI
  • [ ] Limit access to CUI on media to authorized users
  • [ ] Sanitize or destroy media before disposal or reuse
  • [ ] Mark media with necessary CUI markings
  • [ ] Control access to media containing CUI during transport
  • [ ] Implement cryptographic mechanisms during transport
  • [ ] Control use of removable media
  • [ ] Prohibit use of portable storage devices without owner
  • [ ] Protect confidentiality of backup CUI at storage locations

9. Personnel Security (PS) - 2 Requirements

Key Controls:

  • [ ] Screen individuals prior to authorizing access
  • [ ] Ensure CUI is protected during personnel actions (termination, transfer)

10. Physical Protection (PE) - 6 Requirements

Key Controls:

  • [ ] Limit physical access to authorized individuals
  • [ ] Protect and monitor physical facility
  • [ ] Escort visitors and monitor visitor activity
  • [ ] Maintain physical access audit logs
  • [ ] Control and manage physical access devices
  • [ ] Enforce safeguarding measures at alternate work sites

11. Risk Assessment (RA) - 3 Requirements

Key Controls:

  • [ ] Periodically assess risk to operations, assets, and individuals
  • [ ] Scan for vulnerabilities in systems and applications
  • [ ] Remediate vulnerabilities per risk assessments

12. Security Assessment (CA) - 4 Requirements

Key Controls:

  • [ ] Periodically assess security controls
  • [ ] Develop and implement plans to correct deficiencies
  • [ ] Monitor controls on an ongoing basis
  • [ ] Develop, document, and update system security plans

13. System and Communications Protection (SC) - 16 Requirements

Key Controls:

  • [ ] Monitor and control communications at external boundaries
  • [ ] Employ architectural designs and development techniques
  • [ ] Separate user functionality from system management
  • [ ] Prevent unauthorized transfer of information
  • [ ] Implement subnetworks for publicly accessible components
  • [ ] Deny network traffic by default
  • [ ] Prevent remote devices from simultaneous non-remote connections
  • [ ] Implement cryptographic mechanisms to prevent disclosure
  • [ ] Terminate network connections at defined time periods
  • [ ] Establish and manage cryptographic keys
  • [ ] Employ FIPS-validated cryptography
  • [ ] Prohibit remote activation of collaborative devices
  • [ ] Control mobile code
  • [ ] Control Voice over IP technologies
  • [ ] Protect authenticity of communications
  • [ ] Protect CUI confidentiality at rest

14. System and Information Integrity (SI) - 7 Requirements

Key Controls:

  • [ ] Identify and correct information flaws in a timely manner
  • [ ] Protect against malicious code
  • [ ] Monitor system security alerts
  • [ ] Update malicious code protection mechanisms
  • [ ] Perform periodic and real-time scans
  • [ ] Monitor systems for unauthorized access
  • [ ] Identify unauthorized use of systems

Implementation Steps

Step 1: Scope Your Environment

  • Identify all systems that process, store, or transmit CUI
  • Document CUI data flows
  • Define your system boundary

Step 2: Perform Gap Assessment

  • Compare current controls to 800-171 requirements
  • Document gaps and deficiencies
  • Prioritize based on risk

Step 3: Develop System Security Plan (SSP)

  • Document how each requirement is implemented
  • Describe the environment and boundary
  • List all controls and their implementation status

Step 4: Create Plan of Action & Milestones (POA&M)

  • Document all gaps requiring remediation
  • Set target completion dates
  • Assign responsibilities

Step 5: Implement Controls

  • Address gaps systematically
  • Deploy technical controls
  • Implement administrative controls
  • Train personnel

Step 6: Calculate SPRS Score

  • Assess each requirement as implemented or not
  • Calculate score (110 possible points)
  • Submit to SPRS portal

Step 7: Maintain Compliance

  • Continuously monitor controls
  • Update documentation
  • Prepare for CMMC assessment

Common Compliance Challenges

Challenge 1: Scoping CUI

Many organizations struggle to identify all locations where CUI is processed or stored.

Solution: Conduct thorough data flow mapping and involve all departments.

Challenge 2: Multi-Factor Authentication

MFA for all local and network access can be complex to implement.

Solution: Deploy enterprise MFA solutions that support multiple use cases.

Challenge 3: Encryption Requirements

FIPS-validated encryption is required but often not default in systems.

Solution: Verify encryption modules are FIPS 140-2 validated.

Challenge 4: Documentation

SSP and POA&M documentation is time-consuming but critical.

Solution: Use compliance automation platforms like SigmaSRC.

How SigmaSRC Helps

SigmaSRC streamlines NIST 800-171 compliance with:

  • Pre-Mapped Controls - All 110 requirements mapped and tracked
  • Gap Assessment - Automated gap identification
  • Continuous Monitoring - Real-time compliance status
  • SPRS Score Tracking - Monitor your score improvement
  • Evidence Collection - Automated audit evidence gathering
  • SSP Templates - Documentation support

Related Resources

Previous Post Next Post