Simplify NIST compliance: How to identify CUI and establish scope

This is a snippet of an article published on

The clock is ticking for anyone who holds US government data. That’s because compliance with the security directives surrounding controlled unclassified information (CUI), also known as NIST 800-171, must be reached by December 2017. But instead of working through reams of federal publications, you can take a simplified approach.

By asking four basic questions, any organization can quickly know how much effort will be needed to meet regulations. So avoid plowing through security jargon and acronym-laden alphabet soup and beat the clock.

1. Covered: Is the site covered by the CUI scope?

If the site holds a US federal contract or is a supplier on a US federal contract, then the site likely has CUI.

2. Consolidated: Is the CUI contained and isolated?

When the CUI is located in one application or one set of systems, applying controls is simplified. When the CUI is not consolidated, but instead is spread throughout systems and locations, applying controls can become expensive and burdensome. Though even here, applying controls widely may be less intrusive than trying to consolidate the CUI.

3. Controlled: Is the CUI actually controlled?

The CUI needs to be monitored, audited, and protected. Having the CUI in one set of systems does not guarantee control. Physical location, network, authentication, and infrastructure must all be evaluated to ensure that the CUI is accessed only by those authorized to use it.

4. Composed: Does the site have mature information technology practices?

Unrelated to CUI specifically, many of the security controls center on good IT practices. Are backups run? Are operating system patches applied? Is antivirus installed and functional? These practices cover a majority of the controls.

Working through these four steps will guide progress to getting the site into full and maintainable compliance.

Below, the details of each of the four steps is further explained, with guidance provided to getting through each. Sample high-level designs will explain how different sites may adopt a pattern that meets the federal requirements. Also, general and policy questions will be addressed. 

Request a NIST Compliance Consultation

With the trusted cybersecurity professionals at Base2 Solutions in your court, your company can efficiently and effectively move through the process to reach compliance before the deadline. Submit the contact form on the right and gain the peace of mind that comes with knowing your company can continue to accept government contracts, while complying with the NIST 800-171 standards, or even move to the next level of security. It will be December 31, 2017, soon enough. Are you ready?