Within the 14 control categories of NIST 800-171, there are 110 security requirements that must be verified. Contractors who access CUI must create and implement security protocols for these 14 control categories. Let’s take a look at the 14 control categories and break them down into the main points.

  • Access Control

Who is authorized to view the information and how do you control access to this information?

  • Awareness and Training

How do your employees treat this information? Are there processes in place for them to know what to do with CUI?

  • Audit and Accountability

Do you keep records of who accesses CUI? Do you have records of who is and is not authorized to access this information?

  • Configuration Management

How are your networks constructed? How are your safety procedures documented?

  • Identification and Authentication

Who is authorized to access CUI? Are they verified before they receive access? If so, how?

  • Incident Response

When there is a security threat, what is your process? How is your partner going to be notified?

  • Maintenance

How often is maintenance performed? Who performs maintenance?

  • Media Protection

How are your records stored (paper and electronic copies)? Who has access to these records?

  • Personnel Security

How are employees screened before the receive access to CUI?

  • Physical Protection

Where is CUI stored? What kind of physical security do you have in place to where CUI is stored? (Locks, video monitoring systems, etc.) Who has access to these environments?

  • Risk Assessment

Are risk assessments done? If so, how often?

  • Security Assessment

Are your procedures effective? Do you need to make improvements?

  • System and Communications Protection

Is information monitored on a regular basis? Is information controlled at key transmission points?

  • System and Information Integrity

How quickly are possible threats detected, recognized and fixed?