NIST 800-171 R2

 

NIST SP 800-171 R2 is a publication by the National Institute of Standards and Technology (NIST) that provides guidelines and requirements for protecting sensitive federal information, also known as Controlled Unclassified Information (CUI), when it is processed, stored, or transmitted by nonfederal entities such as contractors, universities, and research institutions.

NIST SP 800-171 R2 provides a set of security controls that nonfederal entities must implement to protect CUI. These controls are based on the security requirements in NIST SP 800-53 and are tailored to the needs of nonfederal organizations. The controls are organized into 14 families, such as access control, configuration management, and incident response, and cover a wide range of security measures including access control, training, incident response, and system maintenance.

NIST SP 800-171 R2 is intended to help organizations comply with the requirements of the Federal Acquisition Regulation (FAR) clause 52.204-21, which requires all federal contractors that handle CUI to implement the security controls specified in the publication. Compliance with these controls is essential for ensuring the confidentiality, integrity, and availability of CUI and protecting it from unauthorized access, disclosure, or loss.

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2 (R2) outlines 14 security requirements families that must be implemented by nonfederal entities to protect sensitive federal information, also known as Controlled Unclassified Information (CUI). The 14 security requirements families are:

1. Access Control: Limiting system access to authorized users, processes, and devices.
2. Awareness and Training: Providing security awareness and training to employees and contractors.
3. Audit and Accountability: Creating, protecting, and retaining system audit records.
4. Configuration Management: Establishing baseline configurations and ensuring that changes to systems are controlled and tracked.
5. Identification and Authentication: Verifying the identity of users and devices accessing the system.
6. Incident Response: Establishing an incident response capability to detect, respond to, and recover from security incidents.
7. Maintenance: Maintaining and testing systems, equipment, and facilities.
8. Media Protection: Protecting CUI and system media from unauthorized access, theft, or damage.
9. Personnel Security: Screening personnel prior to authorizing access to systems and information.
10. Physical Protection: Limiting physical access to systems and equipment containing CUI.
11. Risk Assessment: Conducting periodic risk assessments to identify, assess, and prioritize risks to organizational operations, assets, and individuals.
12. Security Assessment: Conducting periodic assessments to evaluate the effectiveness of security controls and policies.
13. System and Communications Protection: Protecting the confidentiality, integrity, and availability of CUI while in transit and at rest.
14. System and Information Integrity: Ensuring that systems and information are protected from unauthorized access, tampering, and other malicious activities.

These requirements are essential for ensuring the confidentiality, integrity, and availability of CUI, and are critical for safeguarding sensitive federal information.