If you have government contracts involving Controlled Unclassified Information (CUI), you might have to comply with the NIST SP 800-171 guidelines. Managing a business is already a handful, so I read the documentation and created a simplified checklist to help you navigate protecting CUI within your systems.

This checklist is designed for business owners working with the federal government or handling contracts involving CUI. Even if your business doesn’t directly work with the government, following these guidelines can significantly improve your overall security and help protect valuable business data.

I created this checklist in a way that’s easy to understand, even solid don’t have a strong technical background. Following this checklist, you can evaluate your security measures and make necessary improvements to maintain or achieve compliance.

Leave any comments or questions below.

CUI Compliance Checklist (NIST SP 800-171)

  1. Access Control:
    • Maintain control of the people and devices that can use your systems.
    • Control how sensitive information, specifically CUI, moves within your business.
    • Set up and manage access rights for users and groups.
    • Keep an eye on remote access and restrict its use.
  2. Awareness and Training:
    • Train your employees on security awareness and your company’s rules.
    • Provide extra training for employees with notable security roles.
  3. Audit and Accountability:
    • Keep track of what happens in your systems and hold people accountable.
    • Review system logs for anything unusual and investigate.
    • Keep logs safe and stored for a required amount of time.
  4. Configuration Management:
    • Set up and maintain a standard setup for your systems.
    • Watch and control any changes to your system parts.
    • Limit and monitor access to special privileges (like admin rights).
  5. Identification and Authentication:
    • Give users and devices unique IDs or names.
    • Use strong passwords and additional authentication methods (like two-step verification).
  6. Incident Response:
    • Be ready to handle security incidents.
    • Keep records of incidents and report them to the right people.
    • Test your ability to respond to incidents regularly.
  7. Maintenance:
    • Keep your systems in good shape with regular maintenance.
    • Control the tools, methods, and people who maintain your systems.
    • Wipe sensitive data from equipment before sending it off-site for repairs.
  8. Media Protection:
    • Secure physical and digital storage (like papers, CDs, or USB drives).
    • Allow only authorized people to access sensitive information.
    • Wipe sensitive data from storage before throwing it away or reusing it.
  9. Personnel Security:
    • Check people’s backgrounds before giving them access to sensitive systems.
    • Keep systems safe when employees leave or move to a different job.
  10. Physical Protection:
    • Limit who can physically access your systems and equipment.
    • Keep your buildings and infrastructure safe and monitor activity.
  11. Risk Assessment:
    • Check for risks to your business operations and assets on a regular schedule.
    • Look for security weaknesses and fix them.
  12. Security Assessment:
    • On a regular schedule, test your security measures to see if they work well.
    • Make plans to fix problems and lower risks.
    • Keep an eye on your security measures all the time.
    • Create and update plans that describe your system’s security.
  13. System and Communications Protection:
    • Watch and protect the information coming in and going out of your systems.
    • Use designs and principles that make your systems more secure.
    • Use methods like encryption to protect data when sending and storing it.
  14. System and Information Integrity:
    • Find, report, and fix problems in your systems quickly.
    • Protect your systems from harmful software (like viruses).
    • Stay aware of security news and act on important alerts.
Engineer in factory with clipboard

You can read the documentation for yourself here: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (nist.gov)