The security controls for NIST SP 800-171 are organized into 14 families for ease of use. Each family contains requirements pertaining to its general security topic. A brief overview of these families is outlined below.
Access Control
This limits system access to only authorized users and the processes and devices acting on their behalf. Therefore, organizations must ensure that only the personnel, system processes and accounts that genuinely need access to sensitive information within a system or network are granted access to it.
Awareness and Training
The Awareness and Training control family provides guidance on appropriate security training for the users, managers, and system administrators of an organization. This includes regular cyber security awareness training as well as proper administrative skills.
Audit and Accountability
This category focuses on ensuring that the contractor is fully aware of what CUI is being maintained, where it is being stored, and where and by whom it is handled. It requires contractors to create and retain records and audit logs to facilitate the monitoring and investigation of unauthorized system activity.
Configuration Management
This family of controls requires every component of an IT system to have a configuration dictating the way in which it operates. These configurations should be standardized so that systems and software perform in measurable ways. Hardware, firmware, software and documentation all fall under its purview.
Identification and Authentication
This section outlines the identification and authentication measures that must be used to ensure that only confirmed and approved users are able to access CUI. The controls must be strong enough to resist spoofing and other forms of unauthorized remote access.
Incident Response
Even the most robust security measures cannot prevent every compromise and breach, so this family requires organizations to establish and practice an incident response plan that will allow them to detect, analyze, contain, recover and resume operations should an incident occur.
Maintenance
This category stipulates that the software, hardware and firmware components of IT systems must be kept up-to-date to address vulnerabilities, ensure smooth operations, and patch any holes that are found. It is crucial for companies to have a detailed plan that outlines the maintenance procedures and personnel responsible.
Media Protection
The Media Protection family contains policies dictating the ways in which physical media is handled, transported and stored, in addition, how it is labeled and protected from unauthorized access. It applies to digital and non-digital media, including flash drives, external hard drives, paper and microfilm.
Personnel Security
This entails ensuring that contractors, vendors and employees are properly vetted, approved and authorized before they are granted access to systems and data.
Physical Protection
The Physical Protection family limits physical access to organizational systems and equipment, along with their operating environments, to authorized parties to protect them from theft or damage. This applies to laptops, printers, mobile devices, portable workstations and other physical equipment.
Risk Assessment
This section describes the requirements for evaluating risks to information, systems and personnel on a periodic basis and reviewing control measures to ensure they remain adequate.
Security Assessment
According to this section, the security control measures in organizational systems must be monitored and periodically assessed to verify that they continue to meet the objectives and are refined as needed.
System and Communications Protection
This family contains further measures aimed at monitoring, controlling, and protecting communications from unauthorized exposure at the key internal and external boundaries of organizational systems.
System And Information Integrity
The System and Information Integrity family outlines the requirements for ensuring that systems and their information and data are trustworthy and have not been altered accidentally or maliciously.
As these families illustrate, achieving and maintaining compliance extends beyond IT and involves careful consideration and control of the entire organization.