NIST SP 800-171 Compliance
Certain research projects sponsored by U.S. federal agencies, in particular the Department
of Defense (DoD), are required to demonstrate compliance with the standards outlined
in NIST SP 800-171 (see Q&A and Related Links below for more information). The University
of Memphis has developed the guidelines below to assist research teams with achieving
and maintaining compliance.
All research projects at the University of Memphis are expected to comply with IT Security Policies and Guidelines, including Data Storage Guidelines. For assistance in complying with these guidelines and policies, contact firstname.lastname@example.org.
Steps to achieve NIST SP 800-171 compliance for sponsored projects
- Notify the Office of Sponsored Programs (email@example.com) of compliance needs at the time of project proposal.
- A folder in the ITS/OSP Security Framework section of Microsoft Teams will be created for documentation for the project(s).
- All team members must complete annual IT Security Awareness training.
- All team members must complete one-time DoD Mandatory Controlled Unclassified Information (CUI) Training. Before closing the training window, each team member must download the completion certificate. The certificate will not be retrievable after the training window is closed. Upload the certificate for each team member to the Microsoft Teams folder designated for the project.
- At the time of proposal, complete a System Summary and upload to the Microsoft Teams folder designated for the project.
- Prior to final contract execution, complete System Security Plan (SSP) and upload
to the Microsoft Teams folder designated for the project.
Optionally, an SSP Control Checklist can be completed to assist in completing the System Security Plan.
- Completed SSP must be approved by IT Security team prior to executing contracts that require NIST SP 800-171 compliance.
All required documents will have templates available in the Microsoft Teams project folder.
The System Summary and SSP are required to finalize contracts for sponsored projects with NIST SP 800-171 compliance needs.
What is NIST SP 800-171, and why is compliance required for my project?
The National Institute of Standards and Technology (NIST) developed Special Publication
(SP) 800-171 to establish guidelines for federal agencies when contracting with nonfederal
organizations that store and share sensitive data not otherwise classified or protected
by federal regulations. This data is referred to as Controlled Unclassified Information
Failure to maintain compliance with CUI requirements where required could constitute a contractual violation, resulting in the potential loss of funding and jeopardizing future research grants.
Do compliance requirements need to be fulfilled before contract execution?
Yes. Any research project requiring NIST SP 800-171 compliance must fulfill the steps
outlined above before funding is awarded.
Am I responsible for ensuring compliance with all NIST SP 800-171 requirements?
The lead researcher for each project is responsible for establishing and maintaining
NIST SP 800-171 compliance throughout the duration of the project. However, many existing
University of Memphis information security policies, guidelines and procedures address
the security requirements described by NIST frameworks. UofM IT Security can provide
guidance in addressing special data management needs while maintaining compliance.
What is a System Security Plan (SSP)?
A System Security Plan (SSP) is a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. In particular, the SSP describes the system boundary, the environment in which the system operates, how security requirements are implemented and the relationships with or connections to other systems.
CUI: What You Need to Know (National Archives CUI Program Blog)
CUI Resources (National Archives)
CUI Training (National Archives) Note: These videos are provided as an additional training resource and do not replace the required training listed in Steps 3 & 4 above.
What is NIST 800-171 and Who Needs to Follow It? (NIST Manufacturing Innovation Blog)