Within the 14 control categories of NIST 800-171, there are 110 security requirements that must be verified. Contractors who access CUI must create and implement security protocols for these 14 control categories. Let’s take a look at the 14 control categories and break them down into the main points.
- Access Control
Who is authorized to view the information and how do you control access to this information?
- Awareness and Training
How do your employees treat this information? Are there processes in place for them to know what to do with CUI?
- Audit and Accountability
Do you keep records of who accesses CUI? Do you have records of who is and is not authorized to access this information?
- Configuration Management
How are your networks constructed? How are your safety procedures documented?
- Identification and Authentication
Who is authorized to access CUI? Are they verified before they receive access? If so, how?
- Incident Response
When there is a security threat, what is your process? How is your partner going to be notified?
How often is maintenance performed? Who performs maintenance?
- Media Protection
How are your records stored (paper and electronic copies)? Who has access to these records?
- Personnel Security
How are employees screened before the receive access to CUI?
- Physical Protection
- Risk Assessment
Are risk assessments done? If so, how often?
- Security Assessment
Are your procedures effective? Do you need to make improvements?
- System and Communications Protection
Is information monitored on a regular basis? Is information controlled at key transmission points?
- System and Information Integrity
How quickly are possible threats detected, recognized and fixed?