top of page

An Overview of NIST 800-171 Controls Implementation



Installing the controls to get in compliance with NIST 800-171 is proving to the government that you can protect its controlled unclassified information (CUI).


» LEARN MORE: Here's All You Need To Know About NIST 800-171 Compliance Requirements (+ Next Steps)


That means your company qualifies for its share of the $445 billion that the government awards annually in contracts. Here are some pointers to guide you through NIST 800-171 controls implementation:

  • Do an assessment of your current environment and involve your employees

  • Identify where CUI is currently residing on your networks.

  • Break down your company’s data into two categories; 1) data that qualifies as CUI, and; 2) data that doesn’t fall under that category.

  • Implement the NIST 800-171 controls to secure and encrypt your company’s CUI

  • Train your employees on how to use and transfer CUI in a manner consistent with the NIST 800-171 controls.

  • Continue monitoring who is accessing your company’s CUI and for what purpose. You need to demonstrate your ability to track how your users access information.

  • Quarterly and annual security assessments need to be done for the purpose of fleshing out the potential for non-compliance risks.

The government is confronted with adversaries that bring their ‘A-game’ in cyberattacks 7 days a week. By properly implementing NIST 800-171 controls, you assure them of your ability to minimize the damage, proving not only that you can protect the government's CUI, but also elevating your company to a very competitive position.


Going Through Self-Assessment & Employee Awareness

First, you will prove NIST 800-171 compliance through a self-assessment.


The operational aspects of implementing these controls always begins with a thorough assessment of where your company currently stands in comparison to the requirements that organizations need to meet in order to achieve compliance.


You can go through these efforts with the NIST 800-171 self-assessment guide we recently created to help small companies navigate this complex landscape.


There are 14 control families, consisting of over 100 individual control measures that you will need to consider. Involve your employees and spread awareness of the project.


There is leverage to gain from an informed workforce that “buys in” and understands the company-wide benefits of establishing NIST 800-171 compliance, including how employees can gain personally if their employer is bringing in more revenue.


Locating Controlled Unclassified Information (CUI)

Find out where and what kind of data you store and transfer, with a focus on identifying what would be considered CUI.


This is achieved by assembling an assessment team that designs and implements an action plan, laying out the timeframes and objectives of the assessment.


The objectives of your assessment should be to identify where CUI exists on your network with a special emphasis on security at each data intersection point (transfer of CUI via email, etc.). Remember, CUI can exist anywhere.


The role of your assessment team is determining where potential vulnerabilities exist and what security gaps need to be closed. Consider your portable drives (USB), local storage solutions, and how your company uses cloud-based computing.


Categorizing & Protecting CUI

Once your team has finished listing networks & documented potential vulnerabilities, you want to determine what data constitutes Controlled Unclassified Information (CUI).


The most prudent companies apply measures to keep all their data secured, but you should consider streamlining the implementation of NIST 800-171 requirements by applying those controls to your most sensitive data first.


This is to determine what CUI strictly is so that you can focus your time, money, and efforts on protecting CUI data above other types of less sensitive data.


Controls Implementation & Documentation

Now that your team has a clear, documented understanding of your IT systems and has identified what data constitutes CUI, you can begin implementing the NIST controls.


“Access Controls” is the 1st of 14 control families and it deals with accessibility to networks, systems and the information that resides on it.


There are 22 different control requirements within this family, all in place to ensure only authorized users can access CUI at your company.


Personnel should be assigned control implementation tasks based on their professions such as system administrators and IT security professionals.


Perhaps the most significant part of your implementation strategy, you will first do an assessment of all individual NIST 800-171 controls and have a documented response to each control. If it hasn’t been done already, the application of certain data encryption measures will occur during this stage of the implementation.


Encrypting all company data should be a historical, routine practice for your company.

Achieving as much will more closely align your company to key NIST standards that mandate CUI is protected by such encryption.


Be especially prudent in the encryption of data (CUI or otherwise) that may be considered “loose,” meaning CUI stored on hard drives that can be easily transferred.


Certain applied control measures at this stage ensure the prevention of unauthorized users from accessing CUI data.


A major component of compliance is the concept of file sharing.


The IT professional(s) at your company should consider file sharing solutions that are closely aligned to the NIST 800-171 compliance controls that call for applying restrictions on file-sharing resources. This ensures that appropriate access is given only to those employees qualified to export, edit, and/or delete CUI data.


Lastly, a Plan of Actions and Milestones (POAM) should be authored and kept meticulously updated detailing how any unmet requirements will be achieved.


This is an important resource that should be updated as your company addresses areas of non-compliance and as your cybersecurity practices evolve.


All of your company’s efforts in implementing these controls can be documented in a System Security Plan (SSP).


Your company’s SSP is drafted so your company has documented proof of how security requirements and controls are implemented at your company.


Employee Training

To ensure an ROI on your investment, you need an engaged and educated workforce that’s properly trained on how to correctly handle and transfer CUI.


“Awareness and Training” is 2nd in the list of control families.


It mandates that employees must be familiar with your company’s security policies and basic cybersecurity practices so they’re able to recognize threats.


So why is this one of the more problematic controls to uphold?


NIST controls mandate the training of employees on how to properly handle CUI not just upon being hired; they also mandate periodic “refresher” training sessions for your employees so that they can remain knowledgeable when it comes to handling and sharing CUI in a manner that keeps your company in compliance.


You may find difficulty engaging your employees in such a “boring” topic, and there is always the obstacle of proving that it is in fact related to their jobs. You have the size of your workforce to consider as well as their level of technical proficiency when you set out to train them. Make sure to communicate the importance of training throughout.