Skip to main content

NIST 800-171 Requirements

The National Institute of Standards and Technology (NIST) published the 800-171 security requirements, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in June 2015.  The purpose of the NIST 800-171 publication is to provide guidance for federal agencies and government contractors to ensure that certain types of federal information is protected, processed, stored, and used in non-federal information systems.  

NIST 800-171 is a subset of requirements taken directly from the NIST 800-53 publication that specifically apply to Controlled Unclassified Information (CUI) shared by the federal government with a nonfederal entity. The controls protect CUI in nonfederal IT systems from unauthorized disclosure.   Iowa State University, as a higher education institution, frequently encounters CUI for research purposes or in carrying out the work of federal agencies.  In some cases, there may not be a law that specifically addresses how the CUI data must be protected and in those instances, NIST 800-171 should be applied. 

In summary, NIST 800-171 applies to data that the federal government designates as CUI when they are shared by the federal government with a nonfederal entity and when no other federal law or regulation addresses how to protect the underlying data. Please contact the IT Security or ResearchIT for more information.

Why should I care about NIST 800-171?

Recently, the Department of Defense has started requiring NIST 800-171 compliance in all of its contracts.  In fact, all research projects governed by a Department of Defense (DoD) contract must be in compliance with NIST 800-171 by December 2017.  The requirements for protecting Controlled Unclassified Information (CUI) can be complex and difficult to implement.  We're here to help.

How can I be sure my grant is compliant?

Many DoD grants do not involve CUI, and strictly operate on public data.  The grant award documentation should make this clear, but it sometimes requires communication with the award officer to confirm.  If you have a grant through the DoD, a project which you know contains CUI, or you're just not sure - please contact IT Security or ResearchIT to get a review process started.

ResearchIT has helped several researchers clarify whether or not their grant was in scope for the rules, and has solutions available to help meet the requirements if your project is in scope.

The review process will involve determining if your project contains CUI and falls under the NIST 800-171 rules, then completing a spreadsheet with explanations of how each compliance requirement is being met, or mitigated through a compensating control.

The spreadsheet template can be found here so you can preview, but please wait to complete the spreadsheet in collaboration with your local IT support, ResearchIT, or IT Security.


Each requirement is listed with applicable information and policies for clarity and completeness. 

This page has been adapted from the following content: