Explore UAB

NIST SP 800-171

NIST Special Publication (SP) 800-171 is a security framework designed to safeguard Controlled Unclassified Information (CUI). The framework provides guidance for protecting unclassified government data that is processed, stored, and/or transmitted by non-federal information systems.

At UAB, NIST 800-171 is tied to government-sponsored research contracts and protects student records and personally identifiable information (PII). For universities, such consumer information includes, but is not limited to student financial aid and grant information, payment history, and student loan information.

CIU Classification

At UAB, CUI is classified by the Data Classification Rule to be Restricted/PHI data because many instances of storing, processing, or transmitting CUI will be tied to security requirements for GLBA or export-controlled data.


The 800-171 framework consists of administrative, technical, and operational security controls designed to focus on protecting the confidentiality of unclassified-but-controlled information. There are 109 separate controls that fall into 14 different control families:

  • Access control
  • Awareness and training
  • Audit and accountability
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personnel security
  • Physical protection
  • Risk assessment
  • Security assessment
  • System and communications protection
  • System and information security

The control families above include more than just a technology component. People and processes also must be considered, and controls must be created to ensure that authorized people take the appropriate actions when working with CUI. An organization can have the best technological security solution in the world, but without quality people and secure workflow processes, the security that the technology provides can be greatly diminished or ineffective.

Additional Resources

To review NIST SP 800-171’s 109 required controls, please visit NIST’s 800-171 website, download the document in PDF form, and begin reading Section 3 and Appendix E.

Also, review the Restricted/PHI data matrix of the UAB Data Protection Rule to understand what university-specific security controls also need to be implemented in a UAB project that involves 800-171 and CUI.