NIST SP 800-171 Control Families – Overview

NIST SP 800-171 Control Families – Overview

For non-governmental organizations that do, or hope to do, business with the U.S. government, careful consideration must be given to whether controlled unclassified information is part of the specified contract work. Controlled unclassified information (CUI) is sensitive in nature and is restricted from public distribution. This is not classified information, rather products or by-products of contract government work that has been deemed to deserve additional protections.

The protections required are outlined in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. A link to this publication is included at the end of this article. The security controls to protect CUI are grouped into families. There are fourteen families, compromising just over 100 individual control measures. This article serves as a brief introduction to the control families. We’ll further explore each family and some of the specific security requirements in later articles.

Control families and a brief explanation of their purposes:

Access Control

            Ensuring only those personnel, accounts and system processes that require access to CUI have such access. Ensuring CUI is not released or exposed to those not approved to receive it. Often, we think of this as an information technology issue. However, protection of CUI hardcopy documents, prototypes and other artifacts may require physical security application as well.

Awareness and Training

            Provide appropriate training and skills to those charged with the protection of CUI. Should include periodic cybersecurity awareness training and also includes system administrator, maintenance and even programming skills to those responsible for handling CUI.

Audit and Accountability

            The contractor must know what CUI information is maintained, where it is stored and processed, and by whom, when and where it is handled. Software, system and data inventories assist in accountability. System, event and access logs help to meet the audit requirements. Again, physical artifacts may require manual measures.

Configuration Management

            Each component and process of an IT system has a configuration that dictates how it operates. By standardizing and managing configurations, systems and software should perform in definable and measurable ways.

Identification and Authentication

            Employ measures that ensure authorized access is achieved only by those whose identities are confirmed and approved. These controls must be robust enough that they are not easily spoofed or faked, especially in remote access scenarios.

Incident Response

            In this day and age, a compromise or breach of some degree is inevitable, that’s the world we now live in. Creating and practicing a response plan helps to ensure the business can recover and resume operations.


            Hardware, firmware and software components of IT systems must be kept up-to-date to ensure vulnerabilities are addressed, holes patched, and subsystems keep functioning.

Media Protection

            Create policies for how physical media is handled, stored and transported. It must be labeled and protected from unauthorized access.

Personnel Security

            Systems and data are only as secure as the personnel with access to them. Ensure employees, contractors and vendors are properly vetted, authorized and approved.

Physical Protection

            Systems that contain CUI may be prone to theft or damage. Protections for portable workstations, laptops and mobile devices are critical, as well as appropriate security for servers and data storage areas.

Risk Assessment

            Periodically evaluate the risks to personnel, systems and information and review control measures for adequacy.

Security Assessment

            Periodically test and review security control measures, both logical and physical to verify they meet objectives; refine and update as needed.

System and Communications Protection

            Further measures to protect CUI data from unauthorized exposure; encryption is an important consideration.

System and Information Integrity

            Making sure systems and the data and information they process is trustworthy and has not been maliciously or accidentally altered.

In reviewing the above families of controls, it is evident that achieving and maintaining compliance is business effort, not just something for the IT team. Some controls require policy development while others are IT configurations; some are physical processes while other may be automated. All, however, require a plan and constant, cognizant oversight.

In future articles, we’ll delve into each of the control families and explore options for how they might be met.

Assured Bridge

Assured Bridge offers services and solutions to help small businesses meet their security and compliance objectives. Whether you need a fully compliant environment, or a trusted expert partner to advise and consult, we’re available to help.

Reference Links:

Assured Bridge

National Institute for Science and Technology Special Publication 800-171 Rev1

Dan bjorklund - cyber security specialist

Daniel Bjorklund


With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner, mentor and innovator. He serves as a principal vCISO at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. He is also active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in Information Technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.

Search our Blog
Subscribe to our Newsletter
We’ve got a lot of good info to share! Sign up for the Assured Bridge newsletter and receive tips on how to remain compliant with Federal CUI standards.