NIST SP 800-171 Deadline at End of 2017 – Is Your Organization Ready?

The National Institute of Standards and Technology (NIST) has released Special Publication 800-171. The document covers the protection of Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.

The document was designed to provide guidance on ensuring that all systems that process, store, or transmit CUI information are secured and hardened. Compliance to the 800-171 standard is enforced by a set of technical policies. NIST SP800-171 outlines those policies. A deadline to comply or to report delays in compliance has been set for December 31, 2017.


Executive Order 13556 (11/10/2010) designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program, for which the Information Security Oversight Office (ISOO) of the National Archives and Records Administration is responsible. In April of 2013, ISSO issued a memorandum to government agency leads on the management of the CUI program.

In September 2016, ISOO released notice 2016-01 outlining the implementation guidance for CUI, and a later notice 2017-01 was issued in June of 2017 with recommendations for implementation of the CUI program. Below are excerpts of that notice (2017-01).

A bit of background

“The Information Security Oversight Office (ISOO) exercises Executive Agent responsibilities for the CUI Program. In consultation with the Office of Management and Budget and affected agencies, on September 14, 2016, ISOO issued CUI Notice 2016-01, ‘Implementation Guidance for the Controlled Unclassified Information Program.’ CUI Notice 2016-01 outlines the phased implementation deadlines for agencies and describes the significant elements of a CUI Program.”

Program management

“ISOO’s memorandum to the heads of executive departments and agencies, “Appointments of Senior Agency Official and Program Manager for the Controlled Unclassified Information (CUI) Program Implementation,” dated April 11, 2013, requested that agencies affirm or update their initial designations of their CUI Senior Agency Official (SAO) and also requested that they assign a CUI Program Manager (PM).”


Anyone (individual or business/contractor) who processes, stores, or transmits information (that falls into one of many CUI categories) for or with federal or state agencies is impacted. This includes all governmental contractual relationships.

A list of categories of CUI information has been made available by NARA here.


There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet.

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

For a complete list of policy tests included under each of the 14 categories, please refer to the NIST SP800-171 web page:

To find out more about NIST SP 800-171, join me, David Henderson, and federal security and compliance expert Sean Sherman for a webinar on July 27th to learn:

  • What the regulation means for you
  • How this standard is enforced though FAR and DFAR
  • How Tripwire’s security solutions map to the new 800-171 control families
  • How to use Tripwire to prove and maintain compliance with this new standard

You can register for the webcast here.

Whilst you wait, you can learn more about how Tripwire solutions can help you meet the requirements NIST 800-171 here.

Or you can view the current list of 800 policy/platform combinations that are available to help you continuously monitor, assess and harden your systems here.


via:  tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *