Whether you are new to Standards or looking to take your expertise further, we have the right training courses and resources. We offer packages for your business to jumpstart your quality management.
NIST 800-171
NIST 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Improving record keeping and data handling is critical to keeping the trust of partners, vendors, contractors, and customers. The importance is magnified when the federal government is involved, with the goal of creating a national culture of cybersecurity that protects the information of our businesses, citizens, and government.
What is NIST 800-171?
NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It is essentially a set of standards that define how to safeguard and distribute material deemed sensitive but not classified.
NIST 800-171 was developed after FISMA (Federal Information Security Management Act) was passed in 2003, resulting in several security standards and guidelines. It was created in part to improve cybersecurity, especially after numerous well-documented breaches in the last few years, including USPS (U.S. Postal Service) and NOAA (National Oceanic and Atmospheric Administration). The primary reason, according to the National Institute of Standards and Technology, is “a national imperative” to make sure unclassified information that isn’t part of federal information systems and organizations is properly protected and consistent. Doing so helps the federal government “successfully carry out its designated missions and business operations.”
For certain government agencies, most notably the DoD (Department of Defense), GSA (General Services Administration) and NASA (National Aeronautics and Space Administration), a revised set of rules for NIST compliances took effect on December 31, 2017, requiring anyone who works with CUI from those agencies to implement specific security measures for how they handle data and report non-compliance to the agencies CIO. Under federal regulations, such as DFARS clause 252.204-7012, every affected company and agency is now required to assess and document their compliance in handling this info in more than a dozen areas, from the way their networks are configured, to the way any and all media is protected, to the way employees receive access to the NIST 800-171 standard.
Prior to these requirements, every agency had a unique set of rules for data handling, safeguarding and disposing of this material. These inconsistent standards posed a challenge – and a potential security concern – when information needed to be shared, especially when multiple contractors become part of the process.