NIST SP 800-171 Services

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations


Executive Order 13556 -- Controlled Unclassified Information (CUI), Nov 4th, 2010:

Previously, different Government agencies had their own policies and procedures for how they would handle unclassified information that is to be withheld from public disclosure. Because of this, there were more than 100 different classifications to include For Official Use Only (FOUO), Sensitive but Unclassified (SBU), and many others.  Not only did this created inefficiency and confusion, it also led to a patchwork of system that failed to adequately safeguard information requiring protection, and unnecessarily restricted information sharing.  Executive Order 13556 addresses these problems by establishing a program for managing this information as well as emphasizing the openness and uniformity of Government-wide practice.

Executive Order 13556 further designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations. The final document was published June 2015 and updated January 2016.

DFARS 252.204-7012 states that:

Contractors are directed to implement 800-171 standards “as soon as practical, but not later than December 31, 2017.” Also, the interim rule has revised DFARS 252.204-7008(c)(1) to include a statement that an offeror “represents that it will implement” the 800-171 security requirements not later than December 31, 2017.

There are 14 families of security requirements associated with the standard and they are derived from various NIST Publications to include:

  • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
  • FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems
  • NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories


Understanding the process from determining what is CUI and where your systems store, display, process, or transmits this data to the final step of assessing your compliance requires an in-depth understanding of the NIST publications as well as the Assessment an Authorization (A&A) process.  For example, properly scoping your CUI requirements is critical to a successful and cost-effective NIST 800-171 assessment.  Navigating through these requirements and designing and implementing a system capable of being authorized under NIST 800-171 requires a company with years of experience in the A&A process as well as an in-depth understanding of NIST 800-171.

RPI Group works with our customers to provides technical assessment services to help them meet their NIST SP 800-171 requirements. From determining the extent of CUI on your systems, scoping requirements, controls mapping of various environments, documenting and developing a system security plan (SSP), to the assessment through security testing and POA&M management, RPI Group can do it all.  We will follow the same Risk Management Framework (RMF) approach that we have used for multiple DOD and civilian clients in the past.