An Overview of NIST 800-171 Controls Implementation

NIST 800-171/CMMC


Installing the controls to get in compliance with NIST 800-171 is proving to the government that you can protect its controlled unclassified information (CUI).

» LEARN MORE: Here's All You Need To Know About NIST 800-171 Compliance Requirements (+ Next Steps)

That means your company qualifies for its share of the $445 billion that the government awards annually in contracts. Here are some pointers to guide you through NIST 800-171 controls implementation:

  • Do an assessment of your current environment and involve your employees
  • Identify where CUI is currently residing on your networks.
  • Break down your company’s data into two categories; 1) data that qualifies as CUI, and; 2) data that doesn’t fall under that category.
  • Implement the NIST 800-171 controls to secure and encrypt your company’s CUI
  • Train your employees on how to use and transfer CUI in a manner consistent with the NIST 800-171 controls.
  • Continue monitoring who is accessing your company’s CUI and for what purpose. You need to demonstrate your ability to track how your users access information.
  • Quarterly and annual security assessments need to be done for the purpose of fleshing out the potential for non-compliance risks.

The government is confronted with adversaries that bring their ‘A-game’ in cyberattacks 7 days a week. By properly implementing NIST 800-171 controls, you assure them of your ability to minimize the damage, proving not only that you can protect the government's CUI, but also elevating your company to a very competitive position.

Going Through Self-Assessment & Employee Awareness

First, you will prove NIST 800-171 compliance through a self-assessment.

The operational aspects of implementing these controls always begins with a thorough assessment of where your company currently stands in comparison to the requirements that organizations need to meet in order to achieve compliance.

You can go through these efforts with the NIST 800-171 self-assessment guide we recently created to help small companies navigate this complex landscape.

There are 14 control families, consisting of over 100 individual control measures that you will need to consider. Involve your employees and spread awareness of the project.

There is leverage to gain from an informed workforce that “buys in” and understands the company-wide benefits of establishing NIST 800-171 compliance, including how employees can gain personally if their employer is bringing in more revenue.

Locating Controlled Unclassified Information (CUI)

Find out where and what kind of data you store and transfer, with a focus on identifying what would be considered CUI.

This is achieved by assembling an assessment team that designs and implements an action plan, laying out the timeframes and objectives of the assessment.

The objectives of your assessment should be to identify where CUI exists on your network with a special emphasis on security at each data intersection point (transfer of CUI via email, etc.). Remember, CUI can exist anywhere.

The role of your assessment team is determining where potential vulnerabilities exist and what security gaps need to be closed. Consider your portable drives (USB), local storage solutions, and how your company uses cloud-based computing.

Categorizing & Protecting CUI

Once your team has finished listing networks & documented potential vulnerabilities, you want to determine what data constitutes Controlled Unclassified Information (CUI).

The most prudent companies apply measures to keep all their data secured, but you should consider streamlining the implementation of NIST 800-171 requirements by applying those controls to your most sensitive data first.

This is to determine what CUI strictly is so that you can focus your time, money, and efforts on protecting CUI data above other types of less sensitive data.

Controls Implementation & Documentation

Now that your team has a clear, documented understanding of your IT systems and has identified what data constitutes CUI, you can begin implementing the NIST controls.

“Access Controls” is the 1st of 14 control families and it deals with accessibility to networks, systems and the information that resides on it.

There are 22 different control requirements within this family, all in place to ensure only authorized users can access CUI at your company.

Personnel should be assigned control implementation tasks based on their professions such as system administrators and IT security professionals.

Perhaps the most significant part of your implementation strategy, you will first do an assessment of all individual NIST 800-171 controls and have a documented response to each control. If it hasn’t been done already, the application of certain data encryption measures will occur during this stage of the implementation.

Encrypting all company data should be a historical, routine practice for your company.

Achieving as much will more closely align your company to key NIST standards that mandate CUI is protected by such encryption.

Be especially prudent in the encryption of data (CUI or otherwise) that may be considered “loose,” meaning CUI stored on hard drives that can be easily transferred.

Certain applied control measures at this stage ensure the prevention of unauthorized users from accessing CUI data.

A major component of compliance is the concept of file sharing.

The IT professional(s) at your company should consider file sharing solutions that are closely aligned to the NIST 800-171 compliance controls that call for applying restrictions on file-sharing resources. This ensures that appropriate access is given only to those employees qualified to export, edit, and/or delete CUI data.

Lastly, a Plan of Actions and Milestones (POAM) should be authored and kept meticulously updated detailing how any unmet requirements will be achieved.

This is an important resource that should be updated as your company addresses areas of non-compliance and as your cybersecurity practices evolve.

All of your company’s efforts in implementing these controls can be documented in a System Security Plan (SSP).

Your company’s SSP is drafted so your company has documented proof of how security requirements and controls are implemented at your company.

Employee Training

To ensure an ROI on your investment, you need an engaged and educated workforce that’s properly trained on how to correctly handle and transfer CUI.

“Awareness and Training” is 2nd in the list of control families.

It mandates that employees must be familiar with your company’s security policies and basic cybersecurity practices so they’re able to recognize threats.

So why is this one of the more problematic controls to uphold?

NIST controls mandate the training of employees on how to properly handle CUI not just upon being hired; they also mandate periodic “refresher” training sessions for your employees so that they can remain knowledgeable when it comes to handling and sharing CUI in a manner that keeps your company in compliance.

You may find difficulty engaging your employees in such a “boring” topic, and there is always the obstacle of proving that it is in fact related to their jobs. You have the size of your workforce to consider as well as their level of technical proficiency when you set out to train them. Make sure to communicate the importance of training throughout.

Auditing & Reporting

Implementing controls and a properly trained workforce is only a foundation for compliance, albeit a very solid one. Once the pieces are in place and your employees know the best practices, implement the proper means of monitoring who is accessing the CUI at your company and what they are accessing it for.

The 3rd family of controls is “Audit and Accountability”: 9 requirements that focus on reliable auditing procedures for uncovering and mitigating cybersecurity breaches.

Take steps to ensure that each action your employees take when accessing or sharing data is recorded and immediately accessible. It is important to be able to track the actions back to the individual users. Assign responsibilities to your system administrators that verify the appropriate oversight of your employee activities.

Quarterly & Annual Assessments

As your company becomes more successful, it is likely that new employees will join, and new software solutions and other IT infrastructure will become integrated.

A component of your compliance strategy should be to administer annual and quarterly assessments of your systems to ensure your current controls continue to protect your CUI as they were intended. Before implementing a cloud-based software solution, evaluate the data and who will need access to this solution. Finally, determine how the new system will impact your current data security controls.


Implementing over 100+ controls from the 14 different control families can sound like a major undertaking, for any company. For a business looking to achieve compliance for the first time, even after considering the implementation strategy outlined above, compliance may still seem an insurmountable task.

Because of that, investing in the services of an experienced consultant that knows the ins-and-outs of these controls can be enormously resourceful.

A consultant can be particularly useful in the elimination of unnecessary, time-consuming steps trying to install controls that you may already have in place.

Having a partner like Encompass Consultants offers a way to simplify the compliance process and get access to the tools that rapidly identify vulnerabilities at your company.

See how we help companies comply with NIST 800-171 below.

Originally published Jun 25 2021

Frequently asked questions

Does NIST 800-171 require encryption at rest?

Data At Rest (DAR) encryption is required for all mobile devices that warehouse or hold CUI. NIST SP 800-171 compliance does not require DAR encryption for desktops or servers. Desktops and servers fall within the security of the physical boundary of your company, which will have other controls and protections in place.

How do you prove NIST compliance?

First, conduct a self-assessment against all the NIST 800-171 controls, and develop a system security plan (SSP) describing how those controls are being met. Second, write an action plan for implementing any non-implemented security controls.

Learn More From an  Expert

Get In Touch

Related Articles