NIST Special Publication 800-171 (NIST SP 800-171) provides federal agencies with recommended security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. It outlines specific security controls and objectives that organizations must implement when handling CUI, which is sensitive but not classified information. The requirements are designed to ensure the confidentiality, integrity, and availability of CUI in these systems.
Examples of CUI
Health information, critical energy infrastructure information, intellectual property, and defense-related information.
Key aspects of NIST SP 800-171
Scope
Protecting CUI in non-federal systems and organizations. It consists of 110 security controls with 320 assessment objectives.
Compliance
Organizations handling CUI must implement the security controls and objectives outlined in the publication.
Purpose
To ensure that CUI is handled securely, preventing unauthorized access, disclosure, or modification. It applies to any component of a non-federal system that processes, stores, or transmits CUI.
Assessment
​The security requirements are assessed through a process outlined in NIST SP 800-171A.
Who needs to comply?
-
Federal agencies
-
Non-federal organizations and systems that process, store, or transmit CUI
-
Organizations within the supply chain for DoD, GSA, NASA, and other federal agencies
-
Defense contractors
Why is compliance important?
-
Ensuring data security
Protecting CUI from unauthorized access, disclosure, or modification. -
Meeting contractual requirements
Many federal contracts require compliance with NIST SP 800-171. -
Maintaining credibility
Demonstrates a commitment to cybersecurity and data protection. -
Reducing risk
Minimizing the risk of data breaches and cyberattacks.
myLaminin’s compliance with NIST 800-171
myLaminin has undergone a thorough self-assessment against the 110 security requirements of the NIST SP 800-171 standard and addressed all requirements relevant to our role as a secure Research Data Management platform.
Some security requirements are tagged as Not Applicable (NA) or ‘Can’t Support’ as they do not apply in our environment. For example, myLaminin is a SaaS service that does not maintain or operate any on-premise data center facilities and does not operate any mobile computing platforms or use portable storage devices for data transfer. myLaminin also does not rely on any external third parties for system maintenance activities.