What’s required to comply with NIST 800-171?

NIST 800-171 has 109 controls (14 control families) that impose requirements at the environmental, system, access, user, and logging/auditing levels. Some of these are summarized below.

See the NIST publication for complete information

This is an accordion element with a series of buttons that open and close related content panels.

Hosting Requirements

The hosting environment (physical space) in which the system is housed must:

  • Be secured (locks, cameras, card readers, guards) to ensure access only by authorized personnel.
  • House project components (hardware, software) in separate racks from other systems. Racks must be secured with locking mechanisms.

System Requirements

The system (hardware, software, data) must be logically or physically separated from other information systems and:

  • Be built from components with necessary security settings/configurations baselines to meet NIST 800-171 controls.
  • Include only required applications and keep unnecessary processes and ports disabled.
  • Be isolated from other campus information flows by firewalls and network segmentation.
  • Encrypt all data in transit and at rest using FIPS 140-1 and FIPS 140-2 encryption standards.
  • Include a test environment for analyzing impacts of changes; maintain regular patching timeframes.
  • Incorporate processes for documentation, inventory, change management, personnel authorization.
  • Collect log information documenting all user actions and user installed applications.
  • Integrate with log analysis and security information and event management tools to provide alerts and reports, report security incidents. It must store log data outside of the specific CUI system.  A designated individual must review and audit logs.
  • Include processes for incident reporting and remediation of vulnerabilities
  • Provide processes for maintenance, including authorization, escort and tool validation of third party personnel, and prioritize local maintenance processes over remote.

Access Requirements

User Requirements

Users of the system:

  • Must include only those individuals authorized by the Principal Investigator (PI) and currently working on the project.
  • Account for users no longer working on the project and must be removed within 48 hours of a user’s transfer or termination.
  • Must be provided accounts with the least privileges necessary to conduct their work or Research.
  • Must use university-managed computers/devices to access the system.
  • Should avoid using portable storage devices or third party services for project data.
  • Must complete annual university-sponsored security training.
  • Only a single individual (such as the PI) can post public information about the project if authorized by the contract.

Logging/Auditing & Documentation Requirements

Logging/auditing and documentation of the system and users/personnel must be carried out. This includes maintaining:

  • Records of authorized users/privileges maintained by the Office of Cybersecurity and reviewed with the project PI annually.
  • Records of applications installed on the system and user workstations and devices, and authorized users of portable media.
  • Records of access to system components and environment by authorized personnel and devices (keys, keycards, etc.) issued to personnel for access to the system/environment.
  • Regular security and risk management assessments, vulnerability scanning, and risk remediation planning in concert with the Office of Cybersecurity.
  • Complete and up-to-date description of system assets, network connections, and controls
    Records of cryptographic key creation, distribution, and management.