Breaking Down NIST 800-171 Controls: The Full List of Security Requirements

As long as small and mid-sized businesses can demonstrate robust security measures, the U.S. Department of Defense is more than willing to outsource innovation, ideas, and services to them. You don’t need to be a large enterprise to win federal contracts—what matters is proving that you can effectively safeguard sensitive government information from potential threats. This is precisely where NIST 800-171 controls come into play, providing the necessary safeguards to establish a strong cybersecurity posture.

If you’re looking for guidance, we’ve got you covered. This blog breaks down the key NIST 800-171 control families and what they mean for your organization.

What are NIST 800 171 controls?

NIST 800 171 controls are security requirements for contractors and subcontractors working with the U.S. Department of Defense (DoD) to protect Controlled Unclassified Information (CUI). Established by the National Institute of Standards and Technology (NIST), these controls aim to protect sensitive government information in non-federal systems and organizations against cyber threats.

List of NIST 800 171 controls

NIST 800 171 has 14 control families with a total of 110 controls. Each control family focuses on a set of standard security requirements that help you protect sensitive information.

Let’s have a look at the list of NIST 800 171 controls:

1. Access Control (AC)

Access control is foundational to cybersecurity, so this control family ensures that only authorized users and devices can access Controlled Unclassified Information (CUI). It emphasizes the least privilege to ensure minimum necessary permissions per job functions and governs session controls, remote access, and sharing of CUI.
The goal is to minimize the risk of unauthorized access, insider threats, and data breaches.

Control family: Access control, Number of controls: 22

3.1.1	Limit system access to authorized users
3.1.2	Limit system access to authorized transactions and functions
3.1.3	Control the flow of CUI as per authorizations
3.1.4	Practice segregation of duties to minimize conflict of interest
3.1.5	Enforce the principle of least privilege
3.1.6	Use non-privileged accounts to access non-security functions
3.1.7	Prevent non-privileged accounts from executing privileged functions and collect audit logs
3.1.8	Limit unsuccessful login attempts
3.1.9	Provide privacy and security notices as per CUI rules
3.1.10	Use session lock with hidden display to protect data after inactivity
3.1.11	Automatically terminate user sessions after defined conditions
3.1.12	Monitor and control remote access sessions
3.1.13	Use cryptography to protect the confidentiality of remote access sessions
3.1.14	Direct remote access through controlled access points
3.1.15	Allow remote execution of privileged commands and access to security-related data
3.1.16	Authorize wireless access before allowing such connections
3.1.17	Protect wireless access with authentication and encryption
3.1.18	Control connection of mobile devices
3.1.19	Encrypt CUI on mobile devices
3.1.20	Restrict and monitor connections to external systems
3.1.21	Limit the use of portable storage devices on external systems
3.1.22	Control CUI stored or processed on publicly accessible systems

2. Awareness and Training (AT)

Human error is a key contributor to security breaches, and training and awareness are critical to making employees aware of the key threats and risks. This control family requires organizations to train employees and contractors regarding their roles and responsibilities in protecting CUI and ways to identify and respond to threats. The personnel must know the risks of phishing, social engineering, and improper data handling.

Control family: Awareness and training, Number of controls: 3

3.2.1	Ensure stakeholders are aware of security risks, policies, and procedures
3.2.2	Ensure that the personnel is trained in information security duties and responsibilities
3.2.3	Arrange security awareness and training for identifying and reporting threats

3. Audit and Accountability (AA)

Audit logs are critical for forensic analysis and investigation. This NIST 800 171 control requires you to log and review system activities for unauthorized and malicious attempts to create accountability and trace events back to individuals.

Control family: Audit and accountability, Number of controls: 9

3.3.1	Maintain audit logs to monitor, analyze, and report unauthorized activity
3.3.2	Ensure that the user actions are traceable for accountability
3.3.3	Review and update logged events
3.3.4	Set up alerts for audit logging failure
3.3.5	Align audit reviews and analysis to investigate suspicious activity
3.3.6	Enable audit log filtering and report generation for on-demand analysis
3.3.7	Ensure system clocks sync with an authoritative source for accurate audit timestamps
3.3.8	Protect audit logs from unauthorized access, modification and deletion
3.3.9	Restrict audit log management to authorized users

4. Configuration Management

Poor configurations can lead to security gaps and increase the attack surface area. Configuration management is essential to ensure that all system configurations are secure and up to date and that no unauthorized changes are made.

Control family: Configuration Management, Number of controls: 9

3.4.1	Maintain baseline configurations and system inventories across the lifecycle
3.4.2	Enforce security configurations for IT systems
3.4.3	Track, review and log changes to systems
3.4.4	Analyze the security impact of changes before implementation
3.4.5	Define and enforce access restrictions for system changes
3.4.6	Configure systems for minimal functionality to provide only essential capabilities
3.4.7	Restrict or disable non-essential services, programs, functions, and ports
3.4.8	Enforce whitelisting and blacklisting to control software usage
3.4.9	Control and monitor user-installed software

5. Identification and Authentication (IA)

Users and devices must be authenticated before they access CUI to minimize credential theft or unauthorized access. Identification and authentication mechanisms such as multi-factor authentication and strong and unique passwords must be a key requirement when dealing with sensitive information.

Control family: Identification and Authentication, Number of controls: 11

3.5.1	Identify users, processes, and devices accessing the system
3.5.2	Verify identities of users, processes, and devices before granting access
3.5.3	Mandate multi-factor authentication for privileged and remote access
3.5.4	Use replay-resistant authentication for network access to all accounts
3.5.5	Prevent reuse of identifiers for a defined period
3.5.6	Disable identifiers after a defined period of inactivity
3.5.7	Require complex passwords with character changes for new passwords
3.5.8	Prevent password reuse for a specified number of generations.
3.5.9	Allow temporary passwords for login, requiring an immediate change
3.5.10	Store and transmit passwords with cryptographic protection
3.5.11	Conceal authentication feedback to prevent exposure

6. Incident Response (IR)

A well-defined incident response plan is necessary to identify incidents proactively and contain the damage as quickly as possible. Organizations must establish incident detection, reporting, response, and recovery procedures to minimize operational disruptions. The lessons learned from the incidents should also be used as a resource to improve resilience.

Control family: Incident Response, Number of controls: 3

3.6.1	Establish an incident-handling process covering preparation, detection, analysis, containment, recovery, and response
3.6.2	Track, document, and report incidents to internal and external stakeholders
3.6.3	Test organization’s incident response capabilities

7. Maintenance (MA)

Systems require regular maintenance and updates, but ensuring that these activities are carried out securely without introducing any vulnerabilities or disruptions is equally important. So, this control family governs how maintenance and updates are carried out, who conducts them, and how remote maintenance is controlled.

Control family: Maintenance, Number of controls: 6

3.7.1	Perform maintenance on organizational systems
3.7.2	Control tools, methods, and personnel involved in system maintenance
3.7.3	Sanitize equipment of CUI before off-site maintenance
3.7.4	Scan diagnostic and test media for malware before use
3.7.5	Enforce multifactor authentication for remote maintenance and terminate sessions after completion
3.7.6	Monitor maintenance personnel without access authorization

8. Media protection (MP)

This control family governs how CUI stored on physical and digital media is protected, as improper handling can lead to breaches. Storage devices and media—such as USB drives, hard drives, and printed documents—must have access restrictions, employ data encryption, and be appropriately disposed of to minimize the risk of data theft.

Control family: Media Protection, Number of controls: 9

3.8.1	Securely store and control system media containing CUI
3.8.2	Limit access to CUI on system media to authorized users
3.8.3	Sanitize or destroy CUI media before disposal or reuse
3.8.4	Mark media with necessary CUI markings and distribution limitations
3.8.5	Restrict access to CUI media and track it during transport
3.8.6	Use encryption to protect CUI on digital media during transport unless physically secured
3.8.7	Control the use of removable media on system components
3.8.8	Prohibit the use of portable storage devices when such devices have no identifiable owner
3.8.9	Protect the confidentiality of backup CUI at storage locations

9. Personnel Security (PS)

Personnel security helps ensure that employees don’t become a security risk—intentionally or simply due to lack of awareness. Organizations must run background checks on new hires and carefully manage access when employees leave so only trusted individuals can handle CUI.

Control family: Personnel Security, Number of controls: 2

3.9.1	Conduct background screening before granting access to CUI systems
3.9.2	Secure CUI systems during and after employee terminations or transfers

10. Physical Protection (PE)

Physical protection is equally crucial to ensure that only authorized users gain direct access to systems and there is no physical stealing or tampering of data. It includes surveillance management and locked storage to control physical access to systems and sensitive data.

Control family: Physical Protection, Number of controls: 6

3.10.1	Restrict physical access to systems and equipment to authorized personnel
3.10.2	Protect and monitor the physical facility and support infrastructure for organizational systems
3.10.3	Escort visitors and monitor visitor activity
3.10.4	Maintain audit logs of physical access
3.10.5	Control and manage physical access devices
3.10.6	Enforce safeguarding measures for CUI at alternate work sites

11. Risk Assessment (RA)

Forward-looking risk assessments are key to a proactive security strategy as they help prioritize risks based on threat severity. This control family ensures that organizations regularly evaluate the vulnerabilities and attack vectors to understand their risk environment and plan mitigation strategies.

Control family: Risk Assessment, Number of controls: 3

3.11.1	Regularly evaluate risks to operations, assets, and individuals from CUI handling
3.11.2	Conduct regular vulnerability scans and update for new threats
3.11.3	3 Remediate vulnerabilities in accordance with risk assessments

12. Security Assessment (CA)

It is crucial to ensure that security controls function as intended. Security assessments help identify weaknesses or validate their effectiveness, strengthening security practices and keeping up with evolving threats.

Control family: Security Assessment, Number of controls: 4

3.12.1	Regularly evaluate security controls to ensure their effectiveness
3.12.2	Create and execute action plans to address security gaps and vulnerabilities
3.12.3	Continuously monitor security controls to maintain their effectiveness
3.12.4	Create, maintain, and update system security plans outlining boundaries, operations, security measures, and system connections

13. System and Communications Protection (SC)

This control family ensures that network boundaries are protected so there is no unauthorized exfiltration or modification of sensitive data. It aims to protect data in transit and at rest through firewalls, encryption, and other secure communication protocols.

Control family: System and Communications Protection, Number of controls: 16

3.13.1	Secure and monitor communications at system boundaries
3.13.2	Use secure architecture, development techniques, and engineering principles to enhance system security
3.13.3	Separate user functionality from system management functionality
3.1.4	Prevent unauthorized and unintended information transfer via shared system resources
3.1.5	Create isolated subnetworks for publicly accessible systems to separate them from internal networks
3.1.6	Block all network traffic by default and allow only approved exceptions
3.1.7	Prevent remote devices from using split tunneling to connect to both organizational systems and external networks simultaneously
3.1.8	Use encryption to protect CUI during transmission unless secured by other physical safeguards
3.1.9	End network connections after a session or a set period of inactivity
3.1.10	Manage cryptographic keys used in organizational systems
3.1.11	Use FIPS-validated cryptography to protect CUI confidentiality
3.1.12	Disable remote activation of collaborative computing devices and notify users when devices are in use
3.1.13	Control and monitor the use of mobile code
3.1.14	Control and monitor the use of Voice over Internet Protocol (VoIP) technologies
3.1.15	Protect the authenticity of communication sessions
3.1.16	Protect the confidentiality of CUI at rest

14. System and Information Integrity (SI)

This control family aims to maintain system and information integrity to protect against and respond to cyber threats. It focuses on monitoring systems for system health, vulnerabilities, malware, and anomalies for proactive response and overall security.

Control family: System and Information Integrity, Number of controls: 7

3.14.1	Identify, report, and correct system flaws on time
3.14.2	Implement malware protection at key points within organizational systems
3.14.3	Track security alerts and advisories and respond accordingly
3.14.4	Update malicious code protection mechanisms when new releases are available
3.14.5	Conduct regular system scans and real-time scans of external files upon download, opening, or execution
3.14.6	Monitor systems and network traffic to detect attacks and potential threats
3.14.7	Identify unauthorized use of organizational systems

Importance of NIST 800 171 controls

While NIST 800 171 is a requirement for non-federal organizations working with the Department of Defense (DoD), any organization that aims to enhance its cybersecurity posture can implement these controls.

Look at these benefits of implementing NIST 800 171 controls:

Enhanced data protection

When compromised, CUI can lead to national security and privacy issues and harm economic interests. NIST 800 171 controls have been designed to protect sensitive information such as PII, financial, or government data against breaches, threats, and unauthorized access. Access controls, encryption, media protection, etc. protect defense contractors against cyberattacks resulting from control weaknesses and security gaps.

Compliance with federal regulations

NIST 800-171 helps organizations strengthen cybersecurity practices and comply with regulations governing CUI. It aligns with requirements such as the Defense Federal Acquisition Regulation Supplement (DFARS) and supports frameworks like the Cybersecurity Maturity Model Certification (CMMC). Federal contractors implementing NIST 800-171 controls can reduce the risk of data breaches, contract loss, and potential legal consequences of non-compliance.

Global competitiveness

NIST 800-171 controls demonstrate an organization’s commitment to security and a culture of strong cybersecurity practices. Any organization seeking to work with the U.S. government or handle sensitive information for regulated industries must implement these controls to establish compliance and safeguard data. Beyond compliance, following NIST 800-171 can also boost your credibility, opening doors to international partnerships and new business opportunities.

Strengthened supply chain security

The controls also ensure that contractors and subcontractors enforce standardized security practices to minimize supply chain risks. Strict access controls, regular risk assessments, encryption, and other controls minimize weak links and protect the supply chain ecosystem from threats and attacks.

Incident response support

The framework also requires organizations to establish, test, and implement an incident response plan to minimize the risk of breaches and prolonged business disruptions. Requirements such as continuous monitoring, logging, proactive threat detection, and recovery efforts help strengthen the organization’s overall resilience.

Take control of security and compliance with Sprinto

While NIST allows some flexibility in implementation and evaluation, it is important to get things right so you don’t lose the contract. Things get tricky when you have limited resources and are managing everything manually. Enter Sprinto.

The next-gen compliance automation tool helps assess your compliance posture and identify gaps that need work. It embeds seamlessly with your tech stack and helps build a single view of risks and controls.

The central health dashboard reports compliance status in real-time, and API-based evidence capture from systems helps you get audit-ready at an accelerated speed. The platform is agile, responsive, and scalable, enabling you to achieve continuous compliance without cutting corners. The built-in policy templates, training modules, role-based access controls, and constant control monitoring help expand the scope of your compliance program and streamline your efforts.

Interested? Get in touch to watch the platform in action.

FAQs

Who requires NIST 800 171?

Any non-federal organization that stores, processes, or transmits CUI on behalf of US government agencies requires NIST 800 171. This includes contractors, subcontractors, research institutions, IT service providers, and other businesses in the supply chain.

What’s the difference between NIST 800 171 and NIST 800 172?

The key difference between NIST 800 171 and NIST 800 172 is that while the former sets baseline requirements to protect CUI, the latter focuses on enhanced protection for high-value assets to protect against advanced threats.

How to comply with NIST 800 171?

To comply with NIST 800 171:

• Conduct a gap analysis
• Create a tactical mitigation plan
• Implement the required controls
• Train your employees
• Document everything
• Conduct internal audit
• Get a third-party assessment (optional)