NIST 800-171 – Controls Download, Checklist, and Mapping – XLS CSV

What is NIST 800-171?

The National Institute of Standards and Technology (NIST) published Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations in June 2015. The purpose of this NIST publication is to provide guidance to federal agencies to ensure that federal information is
protected when processed, stored, and used in non-federal information systems.

NIST 800-171 applies to Controlled Unclassified Information shared by the federal government with a nonfederal entity. The federal government often shares data with institutions for research purposes. NIST 800-171 applies when the federal government shares controlled unclassified information with higher education institutions. That being said, the controls specified in NIST 800-171 will need to be addressed in those institutional IT systems that store any Controlled Unclassified Information.

What is Controlled Classified Information

U.S. government information classifications have been clearly defined when dealing with classified (or national security) information. An information security professional in today’s higher education realm may not have had an opportunity to interact with systems dealing with government classified information unless he or she served in the U.S. military or worked for a federal agency. Until recently, the unclassified realm contained various subcategories and definitions that were created by federal agencies. These information categories identified information, mostly paper-based, and required additional protection from disclosure, but not to the level of classified information. In summary, Controlled Unclassified Information describes any information that is not in the classified category. Its use was specifically intended for federal agencies to manage their own complex world of nonclassified information.

NIST 800-171 Requirements and Responses

As federal contracts begin to specify the Controlled Unclassified Information shared by the federal government and require NIST 800-171 compliance, institutions need to ensure that those persons using such data and the systems processing such data are aware of the data-protection requirements specified by NIST 800-171. This process takes time. An institution should be prepared to ask for additional time to comply with NIST 8800-171, especially to meet the contractual negotiation process, if their infrastructure is entangled within their campus-computing system.

Does My Organization need to comply with NIST 800-171?

Institutions continue to be impacted by NIST Special Publication 800-17 in order to refine their IT systems and the data they receive from the federal government.

    • NIST 800-171 applies to data that the federal government designates as Controlled Unclassified Information when they are shared by the federal government with a nonfederal entity and there is no other law in place to protect the data.
    • Controlled Unclassified Information includes data received as part of a research grant or to conduct business.
    • A higher education institution must review its contracts with federal agencies carefully. There must be a contract referencing both the data the federal agency is sharing, and that the institution must follow the terms of NIST 800-171

800-171 Risk Assessment & Controls Gap Assessment

As part of NIST 800-171, your organization is required to have a formal risk assessment from a qualified 3rd party firm. Our patented methodology is designed to help save your organization time and resources by creating a control framework mapping designed for your organization. We can help you test and comply with multiple frameworks simultaneously.

Contact us to learn more about our 800-171 Audit and Risk Assessment services.

800-171 Penetration Testing

NightLion Security provides the advanced penetration testing services for networks and web applications needed to comply with NIST 800-171. Further, our tailored penetration testing services will help prepare your infrastructure to meet the challenges of your 800-171 certification audit.

Click here to learn more about our 800-171 Penetration Testing services.

Download the NIST 800-171 Controls and Assessment Checklist in XLS / CSV format

Download from
We’ve moved! We now have a new site dedicated to providing free control framework downloads. You can even create your own customized control mapping.
Check us out at

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.