NIST 800-171 requirements – in layman’s terms

In our last blog post, we gave an overview of NIST compliance and why it is so important. In this blog post, we provide you with a quick, very high-level breakdown of the NIST 800-171 Requirement Families.

Each family falls under one of the three main functions of cybersecurity: protect, detect, or recover.

  • Protect – Protect your systems from harm or intrusion to the highest level possible
  • Detect – Detect when a breach is in progress or has occurred, from either inside or outside your organization
  • Recover – Ensure you have the systems and procedures in place to recover from an incident as efficiently and effectively as possible, while following all legal requirements

There are 14 families of requirements in NIST 800-171. In the NIST Special Publication document, the families are presented in alphabetic order, but it may make a little more sense to divide them into their security function. So, that’s what we’ve done below:


3.1 Access control – addresses who can access which data, under which circumstances, how they access it and how that access is controlled and monitored. One main idea in this section is the concept of least privileged access, giving a user the least amount of access to data and systems that still allows them to get their job done.

3.2 Awareness and training – addresses how users should be trained and kept aware of the risks, policies, standards, and procedures.

3.4 Configuration management – focuses on creating and maintaining a baseline of your organizational system configurations and inventory (hardware, software, firmware, documentation), then controlling, tracking, analyzing, and documenting any changes.

3.5 Identification and authentication­ – focuses on the systems, processes, and procedures used to identify and authenticate a user, process, or device. Passwords and multifactor authentication requirements fall in this area.

3.7 Maintenance – highlights systems maintenance and how maintenance personnel should be controlled or supervised. This section also discusses sanitizing your equipment’s CUI if it must be moved off-site for maintenance.

3.8 Media protection – discusses the requirements to protect, limit access to, and finally sanitize or destroy any system media (both paper and digital) that contain CUI.

3.9 Personnel security – spotlights the process of screening personnel prior to access and limiting their access to CUI during terminations and transfers.

3.10 Physical protection – focuses on limiting, monitoring, and logging physical access to systems by employees and visitors.

3.12 Security assessment – aims to ensure that there are periodic reviews of an organization’s security controls and documentation, as well as maintaining a plan of action for when a deficiency is uncovered.

3.13 System and communication protection – discusses the ways that an organization monitors, controls and protects communication and transfer of data both inside and outside the organization, including effective information security practices and separating user functionality from system functionality.


3.3 Audit and accountability – ensures that system and user actions are logged, recorded and then monitored so that those actions can be traced, analyzed, investigated and reported in the event of unauthorized activity.

3.11 Risk assessment – focuses on periodically assessing risks to the organization (operations, assets, and individuals), as well as scanning for and remediating any vulnerabilities (from both inside and outside the network).  

3.14 System and information integrity – outlines the need for anti-virus and -malware protection, as well as monitoring network traffic both internally and externally, to detect indicators of potential attack.


3.6 Incident response – and finally, this family discusses establishing the capability of handling an incident, as well as tracking, documenting and reporting incidents to the appropriate people both inside and outside of the organization.

That’s the scoop…

So, there you have it…in (fairly) brief, plain English…what the NIST requirements are all about.

To learn more about the details you can take a look at the NIST special publication document.

What IT Direct can do to help

IT Direct provides a NIST Gap Assessment that looks at your current processes, procedures, hardware, software, and documentation. We provide you with a full understanding of where you stand, and the improvements or changes that need to occur for your organization to be NIST compliant. We help to guide you through the process of acquiring technology and creating documentation to put you on the path of compliance. And ultimately, we implement the technology you need to be safe, secure, and NIST compliant.

For more information, feel free to fill out the form below:

  • This field is for validation purposes and should be left unchanged.