NIST SP 800-171 Compliance Overview for Contractors
What This Guide Covers
If you work with federal or state agencies as a contractor or subcontractor, you’re responsible for protecting Controlled Unclassified Information (CUI). The NIST SP 800-171 Rev. 2 framework (with Rev. 3 finalized in 2024) sets the security requirements you need to meet.
This guide walks through the key control families in plain language so every team member understands their role in keeping CUI safe.
Control families covered:
- Access Controls
- Identification and Authentication
- Media Protection
- Physical Protection
- System and Communications Protection
- System and Information Integrity
Access Controls
Who Gets Access (3.1.1)
Think of access control like keycards for a building. Only people with the right authorization can enter, and only to the areas they need.
Your responsibilities:
- [ ] Only access systems and data you’ve been authorized to use
- [ ] Never share your login credentials with anyone
- [ ] Report any access you have that seems broader than your job requires
Role-Based Access Levels (3.1.2)
Not everyone needs the same level of access. An invoice processor needs different system access than a project manager.
How this works in practice:
- [ ] Access is assigned based on job function (least privilege principle)
- [ ] Permissions are reviewed regularly and adjusted when roles change
- [ ] Elevated access requires additional approval
External Devices and Systems (3.1.20)
Personal phones, laptops on public Wi-Fi, and cloud storage services fall outside direct organizational control. Using them to access company data creates risk.
Rules to follow:
- [ ] Only use approved applications to access company data from external devices
- [ ] External devices used for work may require security checks
- [ ] Treat any system handling CUI as sensitive, even internal ones
- [ ] Avoid accessing CUI from public Wi-Fi without an approved VPN
No CUI on Public Systems (3.1.22)
Sensitive information (customer data, CUI, trade secrets) must never be posted on publicly accessible systems.
- [ ] Only authorized personnel can post information to public-facing systems
- [ ] Double-check all content before publishing to prevent accidental leaks
- [ ] When in doubt, treat information as sensitive and keep it off public platforms
Identification and Authentication
User and Device Tracking (3.5.1)
Every user and device on your network needs a unique identifier. This creates an audit trail showing who did what and when.
- [ ] Each person has a unique user account (no shared accounts)
- [ ] Devices are registered and tracked with unique identifiers
- [ ] Group accounts require additional verification steps
Identity Verification (3.5.2)
Before you access any system, the system needs to confirm you are who you say you are.
Authentication requirements:
- [ ] Use strong, unique passwords that meet minimum length requirements (16+ characters recommended as of 2025 NIST guidance)
- [ ] Enable multi-factor authentication (MFA) wherever available
- [ ] Default passwords on all systems and devices must be changed immediately
- [ ] Temporary access (for maintenance workers, visitors) uses time-limited credentials
- [ ] Report any suspicious login attempts or MFA prompts you didn’t initiate
Reference: NIST SP 800-63-4 (2024) provides updated digital identity guidelines.
Device Disposal and Sanitization (3.8.3)
Before disposing of or repurposing any device (computers, phones, printers, external drives, even paper documents), all data must be securely removed.
Sanitization checklist:
- [ ] Use approved data-wiping software for standard devices
- [ ] Physically destroy storage media that contained CUI (shredding, degaussing, or incineration)
- [ ] Follow NIST SP 800-88 Rev. 1 guidelines for sanitization methods
- [ ] Document the sanitization method used for each device
- [ ] Check NARA (National Archives and Records Administration) policies for records retention before destroying anything
Physical Protection
Securing Equipment Areas (3.10.1)
Computers, servers, printers, and storage devices must be in controlled areas.
- [ ] Only personnel with authorized badges or ID cards can enter equipment areas
- [ ] Locked rooms or secured zones protect sensitive equipment
- [ ] This applies to all areas with sensitive equipment, not public spaces
Visitor Management (3.10.3 and 3.10.4)
Visitors without regular access badges need supervision.
- [ ] Escort all visitors in secure areas
- [ ] Track visitor entry and exit using sign-in sheets, badge systems, or both
- [ ] Maintain visitor logs at building entrances, secure areas, and areas with sensitive equipment
- [ ] Review visitor logs regularly for anomalies
Physical Access Controls (3.10.5)
Keys, keycards, combination locks, and electronic access cards control building entry.
- [ ] Issue access credentials only to authorized personnel
- [ ] Collect credentials when someone leaves the organization or changes roles
- [ ] Change combination locks when personnel with access depart
- [ ] Audit physical access logs quarterly
System and Communications Protection
Monitoring Data Flow (3.13.1)
Firewalls, routers, and intrusion detection systems monitor information moving through your network.
These tools protect CUI by:
- [ ] Blocking suspicious network activity
- [ ] Directing information along approved paths
- [ ] Adding extra security checkpoints for highly sensitive data
- [ ] Monitoring shared commercial communication services (phone lines, internet) with extra care
References: NIST SP 800-41 Rev. 1 (firewalls), NIST SP 800-125B (virtualization security)
Network Segmentation (3.13.5)
Your internal network should be separated from public-facing systems using a DMZ (demilitarized zone).
- [ ] Public information (website, etc.) lives in a separate network zone
- [ ] The DMZ acts as a checkpoint between public and private networks
- [ ] Only authorized traffic passes between zones
- [ ] Internal CUI systems are never directly exposed to the internet
Vulnerability Management (3.14.1)
Systems need regular checkups to find and fix weaknesses before attackers exploit them.
- [ ] Scan systems for vulnerabilities on a regular schedule (at least monthly)
- [ ] Apply patches from trusted sources promptly, prioritizing critical systems
- [ ] Track vulnerabilities using the CVE and CWE databases
- [ ] Document all patches applied and their dates
Malware Protection (3.14.2)
Malicious software can arrive through emails, infected websites, or USB drives.
Stay protected:
- [ ] Keep endpoint protection software installed and running on all systems
- [ ] Only open emails and attachments from known, verified senders
- [ ] Do not click suspicious links in emails or on websites
- [ ] Be cautious about downloading files from the internet
- [ ] If you receive a suspicious email, forward it to ForwardToSafety.com for verification before interacting with it
- [ ] Report suspicious emails to your IT security team immediately
Reference: NIST SP 800-83 Rev. 1 covers malware prevention and handling.
Security Software Updates (3.14.4)
Security tools need regular updates to recognize new threats.
- [ ] Enable automatic updates for all security software
- [ ] Verify updates are actually installing (don’t just assume)
- [ ] Supplement antivirus with secure coding practices, configuration management, and system monitoring
File Scanning (3.14.5)
All files from external sources must be scanned before opening.
- [ ] Scan email attachments before opening, regardless of the sender
- [ ] Scan files downloaded from websites
- [ ] Scan files from removable drives (USB sticks, external hard drives)
- [ ] Configure systems to automatically scan files on access
Summary
These security practices exist to protect the information entrusted to your organization. Each person plays a part, from using strong passwords and locking doors to scanning files and reporting suspicious emails.
Key takeaways:
- Only access what you need for your job
- Verify your identity and protect your credentials
- Wipe devices clean before disposal
- Keep physical spaces secure
- Monitor and segment your network
- Patch systems quickly and scan everything
When in doubt about a suspicious email or communication, use ForwardToSafety.com to safely forward it for verification. Ask questions early rather than risk a security incident.