What are NIST 800 171 controls?
NIST SP800-171 or just 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. This document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. The exact requirements for NIST SP 800-171 revision 2 can be found at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf Show
NIST SP 800-171 compliance is currently required by some Department of Defense contracts via DFARS clause 252.204-7012. The Office of Sponsored Programs is responsible for research contracts and will work with contracting officers to ensure that NIST 800-171 requirements are applicable. When NIST 800-171 requirements are applicable, it is advisable to consult NREC and/or PSC, both of which are capable of supporting this type of research. The DoD has announced the Cybersecurity Maturity Model Certification (CMMC) program, which is related to NIST SP800-171, but contains 3 different levels, has additional controls, and requires showing a maturity level. The Information Security Office is available to assist if you have questions about NIST 800-171, CMMC, CUI, or general data protection requirements. Our System Security Plan Templates can be used/modified without any warranties or guarantees. Revision History
Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. NIST SP 800-171
In this articleAbout NIST SP 800-171The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171, Protecting Controlled Unclassified Information In Nonfederal Information Systems and Organizations. CUI is defined as information, both digital and physical, created by a government (or an entity on its behalf) that, while not classified, is still sensitive and requires protection. NIST SP 800-171 was originally published in June 2015 and has been updated several times since then in response to evolving cyberthreats. It provides guidelines on how CUI should be securely accessed, transmitted, and stored in nonfederal information systems and organizations; its requirements fall into four main categories:
Microsoft and NIST SP 800-171Accredited third-party assessment organizations, Kratos Secureinfo and Coalfire, partnered with Microsoft to attest that its in-scope cloud services meet the criteria in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, when they process CUI. The Microsoft implementation of FedRAMP requirements help ensure Microsoft in-scope cloud services meet or exceed the requirements of NIST SP 800-171 using the systems and practices already in place. NIST SP 800-171 requirements are a subset of NIST SP 800-53, the standard that FedRAMP uses. Appendix D of NIST SP 800-171 provides a direct mapping of its CUI security requirements to the relevant security controls in NIST SP 800-53, for which the in-scope cloud services have already been assessed and authorized under the FedRAMP program. Any entity that processes or stores US government CUI — research institutions, consulting companies, manufacturing contractors, must comply with the stringent requirements of NIST SP 800-171. This attestation means Microsoft in-scope cloud services can accommodate customers looking to deploy CUI workloads with the assurance that Microsoft is in full compliance. For example, all DoD contractors who process, store, or transmit 'covered defense information' using in-scope Microsoft cloud services in their information systems meet the US Department of Defense DFARS clauses that require compliance with the security requirements of NIST SP 800-171. Microsoft in-scope cloud platforms & services
Azure, Dynamics 365, and NIST SP 800-171For more information about Azure, Dynamics 365, and other online services compliance, see the Azure NIST SP 800-171 offering. Office 365 and NIST SP 800-171Office 365 environmentsMicrosoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area. This section covers the following Office 365 environments:
Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article. Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization. Office 365 applicability and in-scope servicesUse the following table to determine applicability for your Office 365 services and subscription:
Frequently asked questionsCan I use Microsoft compliance with NIST SP 800-171 for my organization? Yes. Microsoft customers may use the audited controls described in the reports from independent third-party assessment organizations (3PAO) on FedRAMP standards as part of their own FedRAMP and NIST risk analysis and qualification efforts. These reports attest to the effectiveness of the controls Microsoft has implemented in its in-scope cloud services. Customers are responsible for ensuring that their CUI workloads comply with NIST SP 800-171 guidelines. Use Microsoft Purview Compliance Manager to assess your riskMicrosoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager. Resources
FeedbackSubmit and view feedback for How many controls are there in NIST 171?The 110 NIST 800-171 security controls are divided into 14 control families. Controls are mapped to appropriate university policies, standards or other documents where possible.
What is NIST SP 800NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI).
What are the NIST security controls?NIST controls are generally used to enhance the cybersecurity framework, risk posture, information protection, and security standards of organizations. While NIST 800-53 is mandatory for federal agencies, commercial entities have a choice in leveraging the risk management framework in their security program.
How many controls are there in NIST 800?NIST 800-53 has 20 families of controls comprised of over 1,000 separate controls. Each family is related to a specific topic, such as access control.
|