The National Institute of Standards and Technology (NIST) published the 800-171 security requirements, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in June 2015.  The purpose of the NIST 800-171 publication is to provide guidance for federal agencies and government contractors to ensure that certain types of federal information is protected, processed, stored, and used in non-federal information systems.  

NIST 800-171 is a subset of requirements taken directly from the NIST 800-53 publication that specifically apply to Controlled Unclassified Information (CUI) shared by the federal government with a nonfederal entity. The controls protect CUI in nonfederal IT systems from unauthorized disclosure.   The University of Iowa, as a higher education institution, frequently encounters CUI for research purposes or in carrying out the work of federal agencies.  In some cases, there may not be a law that specifically addresses how the CUI data must be protected and in those instances, NIST 800-171 should be applied. 

In summary, NIST 800-171 applies to data that the federal government designates as CUI when they are shared by the federal government with a nonfederal entity and when no other federal law or regulation addresses how to protect the underlying data. Please contact the Information Security and Policy Office or ITS-Research Services for more information.

Why should I care about NIST 800-171?

Recently, the Department of Defense has started requiring NIST 800-171 compliance in all of its contracts.  In fact, all research projects governed by a Department of Defense (DoD) contract must be in compliance with NIST 800-171 by December 2017.  The requirements for protecting Controlled Unclassified Information (CUI) can be complex and difficult to implement.  The Information Security and Policy Office and ITS-Research Services have worked together to build this support page in an effort to provide detailed information and documentation that will assist researchers and IT staff in building compliant solutions to properly protect CUI.  Please refer to the following spreadsheet for guidance in creating a NIST 800-171 compliant solution:

FileUIowa 800-171 Assessment Template.xlsx

Each requirement is listed with applicable information and policies for clarity and completeness.  Please contact the Information Security and Policy Office or for help with implementation.

Article number: 
Last updated: 
October 13, 2017