Welcome back! We hope our Basic Guide to NIST 800-171 helped you understand what NIST 800-171 is, how it came about and why it is required.

In a bid to safeguard your organization from unwarranted cyberattacks and security breaches, it is important for you to be NIST SP 800-171 compliant. All organizations that store and process unclassified and sensitive US government information need to be compliant with this set of security guidelines. When the cybersecurity requirements for contractors who manage and deal with sensitive government details are specified, it establishes the security of the entire federal supply chain. Implementing this set of guidelines, however, often leaves organizations with many questions. Here are a few questions surrounding NIST SP 800-171 that we’ve addressed.


This framework right now is directed at those in the DIB who are servicing the DOD.  They can be providers of all types including healthcare providers but its intent was to limit cyber attacks of companies who are servicing the defense department. In order to function smoothly, US government departments depend on various service providers and external organizations. One of the most important functions of these service providers involves storing and processing sensitive information on the IT networks of various contractors. These external organizations that manage and send Controlled Unclassified Information (CUI) on behalf of the US government have to follow NIST 800-171 in order to ensure sensitive information does not get leaked or fall prey to cybercriminals. Healthcare data processors, defence contractors and organizations that offer financial services make up a part of the organizations that deal with sensitive data.

System integrators, web and communication service providers, laboratories as well as research institutes that obtain federal grants and information also need to comply with NIST 800-171. Universities and colleges that make use of federal data are institutions that also need to adhere to these guidelines. Providers of all types including healthcare providers are also required to comply, but its intent was to limit cyber attacks of companies who are servicing the defense department.


Your organization has to follow a self-assessment process to be NIST 800-171 compliant. To obtain compliance, there are 110 controls and requirements. This can seem like a tedious task to complete but when you know what is required for the NIST 800-171 self-assessment, proceedings become easy.

First, you need to obtain insight from senior information security stakeholders and put together an assessment team. The team needs to structure an assessment plan specifying aims and a timeframe. You then have to focus on starting an internal communication campaign to create awareness about the project. Once awareness is created, make a contact list of personnel and the responsibilities they successfully accomplish. This includes information security specialists and system administrators.

Once you make a contact list, gather the required documents needed. This encompasses system records and manuals, admin guidance documents, the security policies that currently exist, previous audit logs and results as well as system architecture documents. Examine individual controls and requirements in the NIST 800-171 document. After completing the assessment, record a statement for each of the requirements. Put together a plan of action showcasing the manner in which the pending requirements are going to be achieved. Lastly, put all of the evidence for compliance into a System Security Plan (SSP) document.


The first step involves finding and recognizing the systems that collect or transfer CUI. You can find CUI stored in cloud storage solutions, local storage solutions, portable hard drives or devices and Endpoints. The next step involves sorting CUI into categories. It is wise to divide your CUI into two categories. This involves data that falls under controlled unclassified information and data that does not. Categorizing makes protecting your most sensitive data a priority so, in case of an audit, you can show that you have safeguarded CUI.

The next step involves implementing the required controls to encrypt files that are in transit as well as not in transit. This makes it easier to line up with NIST 800-171 requirements which in turn, safeguards CUI and ensures attackers and unauthorized users are kept away. Following this, training your employees to utilize, store and share CUI in a manner that aligns with the required standards is essential. Make sure you are also keeping a watch on who is accessing your data and systems and what is their aim for doing so. Once implementation is complete, carry out an assessment that helps you understand the effectiveness of your security. When you complete this assessment, you obtain a better understanding of your existing procedures and whether you are safeguarding your files in a desirable manner or not. You can explore SureShield’s ComplyShield for a more comprehensive solution to minimize financial risk and address compliance issues. For more information and the latest updates on cybersecurity, follow us on Twitter and Linkedin.


While setting up and running a successful business involves paying attention to the needs of your customer and offering them quality service, there is another element that you need to pay attention to – compliance! This involves meeting current data security regulations. In a healthcare setup, for instance, the hospital needs to be compliant with Health Insurance Portability and Accountability Act (HIPAA) software. Since healthcare is a highly regulated industry, it needs protection from powerful cyber attacks that are taking place more frequently. If you take a look at healthcare data breach statistics, around 2,550 healthcare data breaches have put over 189 million healthcare records in danger in the last decade.

While security regulations continue to work towards addressing data security threats, one thing is certain. All businesses need to fulfil at least basic security standards. With this view in mind, the National Institute of Standards and Technology (NIST) enforced the NIST 800-171. It is also referred to as NIST SP 800-171.

Here is a basic guide to better understand NIST 800-171.

WHAT IS NIST 800-171?

NIST 800-171 is a set of government regulations that work to make certain the confidentiality and safety of controlled unclassified information (CUI) is protected. CUI refers to any controlled unclassified US government data that is sensitive. In other words, it is a set of data security guidelines letting organizations know how they can safely access, transmit and store CUI in nonfederal information systems and organizations. This information usually consists of product patents and financial details and is shared with government contractors, subcontractors and government agencies.


The baseline version of NIST SP 800-171 was initially published in June 2015. The set of guidelines was written by NIST, the National Archives and Records Administration (NARA), Department of Defense (DoD) and other federal agencies after careful deliberation and years of effort. It has been updated over the years and revised a few times as per the growing cyber threats and risks that came into existence. The deadline for companies to be NIST 800-171 compliant was December 31, 2017. Even so, a majority of companies missed the deadline while some matched up to only a few of the compliance requirements.


The security controls over CUI are fewer especially when it is compared to classified information. As a result of this, carrying out data breaches by taking the route of Controlled Unclassified Information (CUI) becomes easier. This is why companies and organizations that are compliant with NIST 800-171 are a frequent target for cyberattacks. Since the loss of aggregated CUI is one of the most vital risks to national security, the healthcare and finance sector needs to be NIST 800-171 compliant.

Besides this, if your organization is noncompliant with NIST 800-171 and a data breach does take place, you are liable for serious non-compliance fines. These fines can cost you millions of dollars. You can also face undesirable consequences if you work with a subcontractor who does not comply with NIST regulations. So taking the required measures to be compliant ensures you are not subjected to extravagant fines and also do not fall victim to attacks.


If you or a company that you are a part of has a contract with a federal agency, you need to comply with NIST 800-171. This allows your organization to take advantage of some of the most secure methods for storing as well as sharing information (CUI). The process to become compliant with the standards of NIST 800-171 can usually take around 6-8 months to implement so it is essential to get started today to safeguard your business from data breaches and cyberattacks of any kind.

While being NIST 800-171 compliant gives you the satisfaction that the infrastructure of your organization is secure, it does not completely guarantee that your data is safe. NIST guidelines start by informing companies to inventory their cyber assets with the help of a value-based approach. With this approach, they can pay attention to data that is most sensitive to you and program protection efforts by emphasizing this data.

We hope this guide to NIST 800-171 helped you understand the basics of what it entails. We have also answered some  frequently asked questions about NIST 800-171 in our next blog post. If you have any questions, we’d be happy to help. Tweet to us or send us a message on Linkedin, or email us at