Protecting Controlled Unclassified Information

The federal government, much like many civilian sector businesses, relies heavily on digital record keeping and file storage. For this reason, cybersecurity and the protection of sensitive data stored on government servers and hardware is paramount. Because of the involvement of the federal government, the importance of cybersecurity is greatly amplified. In order to safeguard Controlled Unclassified Information (CUI), the National Institute of Standards and Technology (NIST) developed Special Publication 800-171. The goal of NIST is “creating a national culture of cybersecurity that protects the information of our businesses, citizens, and government.”

There are 14 categories and dozens of requirements that NIST SP 800-171 outlines, all of which fall into two broad categories: administrative and technical. On a high-level overview, administrative requirements instruct contractors and individuals that handle CUI must review/read reports and procedures, and report any and all vulnerabilities or incidents. In addition, audited events must be reviewed on an annual basis. Technical requirements include, but are not limited to monitoring data, preventing a breach of security, warning an organization of potential threats, reports being generated, limiting access, and implementing rigorous digital security.

The 14 categories of NIST SP 800-171:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Since the original publication in 2015, the NIST SP 800-171 guidelines have been revised several times. In June 2019, NIST released draft updates to NIST SP 800-171 which include Revision 2 and a new draft NIST SP 800-171B which will “supplement NIST SP 800-171 to provide ‘Enhanced Security Requirements for Critical Programs and High Value Assets.’”

The draft of Revision 2 does not make any changes to the security requirements, but serves to increase usability as the Discussion section was moved from Appendix F to “Chapter Three to coincide with the basic and derived security requirements.” Draft NIST SP 800-171B is a supplemental document that provides additional guidelines for the protection of Controlled Unclassified Information (CUI) that is stored in a system that may have a “higher-than-usual risk of exposure.” An all too common occurrence in recent years has been an increase of the sophistication of cyber-attacks. High value assets (HVA) and critical programs that contain CUI have become a target for hackers, creating an advanced persistent threat (APT). The continued barrage of cyberattacks on HVAs and critical programs in recent years led to the Department of Defense requesting additional guidance from NIST. “The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA.”

As adversaries and cyber-attacks continue to increase in sophistication, it is imperative that the federal government continue to increase cybersecurity and that regulations currently in place continue to evolve. It is essential that contractors maintain compliance with NIST SP 800-171 to ensure that all Controlled Unclassified Information remain secure.

Ebner, S.W. NIST Updates SP 800-171 To Enhance DoD Contractor Security Against Cyber Attack. [Online]. Available at: Accessed: (5 September 2019)
Brook, C. What is NIST SP 800-171? [Online]. Available at: Accessed: (5 September 2019)
Kozloski, M. Everything You Need to Know About NIST 800-171. [Online]. Available at: Accessed: (5 September 2019)
Protecting Controlled Unclassified Information: Comment on Draft SP 800-171 Rev. 2 and Draft NIST SP 800-171B. [Online]. Available at: Accessed: (5 September 2019)

Leave a comment




Copyright 2023 Anglicotech Pacific   |   All Rights Reserved