Skip to main content

Introducing NIST 800-171

Cutting-edge technology and highly trained team members protect the US government’s classified data. But what about unclassified data? A distinction that seems clear at first glance becomes blurry when you start to consider information that isn’t technically classified but shouldn’t be shared publicly either.

Take, for example, the travel schedules of government officials. Or military health records. While not technically classified, we don’t want this information to fall into the wrong hands. So in 2016, the US Federal Government categorized this sensitive and proprietary information as Controlled Unclassified Information (CUI). 

CUI is defined as “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.” And along with this classification, the National Institute of Standards and Technology (NIST) published Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Or NIST 800-171 for short.

Government agencies have teams dedicated to keeping their systems and CUI secure. But there are approximately 3.7 million contract workers who may be using different technology. Or have varying levels of training. And often contractors have minimal security budgets and focus. NIST 800-171 applies to all of these contractors. This helps the US Federal Government ensure that the level of security they require within their organizations extends to contractors. 

Announced in 2017, NIST 800-171 was a self-assessment that the government expected their contractors (such as those working with the Department of Defence, General Services Administration or NASA) to comply with willingly. However, in 2019 they announced mass audits coming in 18 months, citing a lack of compliance. Today, NIST 800-171 does not require an audit or assessment, but the Defence Contract Management Agency can audit companies at any time. Failure to demonstrate compliance can result in the loss of existing contracts, withholding future contracts and removal from the Approved Vendors list. 

Many of our customers already use Tugboat Logic to comply with NIST CSF and CMMC. And now we can support them in their NIST 800-171 compliance. Like our other Tugboat Logic frameworks, all of our policies suit the needs of NIST 800-171 and come with an entire library of editable controls for your framework. Those controls correspond with your evidence tasks and any relevant evidence already included in your InfoSec program will automatically apply to your NIST 800-171. There’s no need for duplicating any work. And, to save you even more time, we integrate with your entire tech stack to automatically pull the evidence you need to get and stay compliant.

Our frameworks are all built by Tugboat Labs, our in-house team of experts. Comprised of former Big Four auditors, the labs team has over 100 years of experience conducting audits. Rest assured, our frameworks are built by industry experts and fine-tuned based on feedback from customers and our network of trusted audit partners. If you run into any questions along the way, our customer success team is also packed with experts who are here to help!

NIST 800-171 is available to Enterprise customers. To learn more, request a demo or reach out to your account manager.