Protecting Federal “Controlled Unclassified Information” (CUI)

Upfront: NIST is an organization that establishes documented standards.  The standard numbered 800-171 is titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

NIST 800-171 contains lots of Information Technology guidance that are the minimum acceptable methods of securing your computer networks IF you are going to be “processing” federal CUI as part of your contract.

There are 114 “controls” expected from your IT department.  A control is something like “Account Management” which includes “User registration and de-registration” procedures.  In essence, this NIST 800-171 could be thought of as “IT 101” for any modern environment.

There are lots of consultancies and professional organizations that are quite happy to offer their services to make you feel better about this.  If you have an actual functioning IT department, you should already be ahead of this.  If you don’t, then it likely doesn’t apply.

Bottom Line: NIST 800-171 is nothing to fear.  It is basic IT security spelled out in a guide.