Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online FormsUse CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI DataPartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel PartnersResourcesResource CenterDevelopersCustomersCompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact UsRequest Demo
Mouseover to personalize your Kiteworks website experience

NIST 800-171

Protect controlled unclassified information with 110 security requirements across 14 control families aligned with federal contractor obligations.

How Kiteworks Supports NIST 800-171

How Kiteworks Supports NIST 800-171 Compliance

NIST Special Publication 800-171 establishes 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Required by DFARS clause 252.204-7012 for all Department of Defense contractors, NIST 800-171 provides the security foundation for protecting sensitive government information that resides outside of federal systems. Kiteworks delivers comprehensive capabilities that address requirements across all 14 security families, enabling organizations to protect CUI while maintaining operational efficiency.

14 Security Requirement Families

NIST 800-171 organizes its 110 security requirements into 14 families. Kiteworks provides coverage across all families, with particularly strong support for the data protection and communication-focused requirements:

FamilyRequirementsKiteworks Coverage
Access Control (AC)22Comprehensive RBAC, least privilege, MFA
Awareness and Training (AT)3Security awareness through policy enforcement
Audit and Accountability (AU)9Complete audit logging, immutable records
Configuration Management (CM)9Centralized configuration, change control
Identification and Authentication (IA)11MFA, certificate-based auth, SSO
Incident Response (IR)3Real-time alerting, forensic logging
Maintenance (MA)6Controlled maintenance, remote access controls
Media Protection (MP)9Encryption, secure deletion, DRM
Personnel Security (PS)2User provisioning, access revocation
Physical Protection (PE)6Hardened virtual appliance, data center controls
Risk Assessment (RA)3Vulnerability scanning, risk analytics
Security Assessment (CA)4Continuous monitoring, compliance reporting
System and Communications Protection (SC)16FIPS encryption, boundary protection, TLS
System and Information Integrity (SI)7Malware protection, integrity monitoring

Access Control (22 Requirements)

The Access Control family is the largest in NIST 800-171, reflecting its importance in CUI protection. Kiteworks addresses all 22 requirements:

  • 3.1.1 - Authorized Access: Limit system access to authorized users, processes acting on behalf of authorized users, and devices.
  • 3.1.2 - Transaction Control: Limit access to the types of transactions and functions that authorized users are permitted to execute.
  • 3.1.3 - CUI Flow Control: Control the flow of CUI in accordance with approved authorizations, preventing unauthorized data movement.
  • 3.1.4 - Separation of Duties: Separate duties of individuals to reduce the risk of malevolent activity without collusion.
  • 3.1.5 - Least Privilege: Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • 3.1.22 - Publicly Accessible Content: Control information posted or processed on publicly accessible systems to prevent CUI exposure.

Audit and Accountability (9 Requirements)

Kiteworks provides robust audit capabilities meeting all 9 AU family requirements:

  • Audit Record Creation: Create and retain system audit logs sufficient to establish what events occurred, when, where, the source, and the outcome.
  • Individual Accountability: Ensure that the actions of individual system users can be uniquely traced to those users.
  • Audit Review and Reporting: Review and update logged events regularly through the CISO Dashboard and automated reports.
  • Audit Reduction: Provide audit record reduction and report generation capabilities to support on-demand analysis.
  • Timestamp Correlation: Use internal system clocks to generate timestamps for audit records with synchronized time sources.
  • Audit Protection: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Configuration Management

Kiteworks supports configuration management requirements through:

  • Baseline configurations for all system components with documented settings
  • Change management controls requiring approval for configuration modifications
  • Security impact analysis of proposed configuration changes
  • Restriction of nonessential programs, functions, ports, and protocols
  • Application whitelisting and software restriction policies

Identification and Authentication

Strong identification and authentication is critical for CUI protection. Kiteworks provides:

  • Multi-Factor Authentication: Require MFA for all network and local access to CUI systems.
  • Replay-Resistant Authentication: Implement authentication mechanisms that resist replay attacks.
  • Identifier Management: Manage system identifiers by receiving authorization, disabling inactive identifiers, and preventing reuse.
  • Password Management: Enforce minimum password complexity and change requirements.
  • Cryptographic Authentication: Authenticate devices and users with certificate-based methods.

System and Communications Protection (16 Requirements)

The SC family addresses the protection of communications and systems processing CUI. Kiteworks delivers:

  • Boundary Protection: Monitor, control, and protect communications at system boundaries with built-in WAF, firewall, and IDS.
  • Cryptographic Protection: FIPS 140-validated AES-256 encryption at rest and TLS 1.2/1.3 in transit.
  • Network Disconnect: Terminate network connections at the end of sessions or after defined inactivity periods.
  • CUI Confidentiality: Protect the confidentiality of CUI at rest and in transit using customer-controlled encryption keys.
  • Collaborative Device Control: Prohibit remote activation of collaborative computing devices with granular control settings.

CUI Program and Marking

Proper identification and marking of CUI is fundamental to NIST 800-171 compliance. Kiteworks supports:

  • Content classification and tagging aligned with CUI Registry categories
  • Automated policy enforcement based on CUI markings
  • Document watermarking for tracking and accountability
  • Dissemination control indicators and handling instructions

Assessment Methodology (NIST 800-171A)

NIST SP 800-171A provides the assessment procedures for evaluating compliance. Kiteworks supports assessments by:

  • Evidence Generation: Automated collection of compliance evidence across all 110 requirements.
  • Control Documentation: Comprehensive documentation of how each security requirement is implemented.
  • Assessment Support: Tools and reports that facilitate both self-assessments and third-party evaluations.
  • Gap Analysis: Identification of areas where additional controls or improvements are needed.

Scoring Methodology

The DoD Assessment Methodology assigns scores to NIST 800-171 implementations. Kiteworks helps organizations achieve higher scores by:

  • Providing full implementation of applicable security requirements (maximum point values)
  • Documenting implementation status for all 110 requirements
  • Supporting Plan of Action and Milestones for requirements not yet fully implemented
  • Enabling organizations to demonstrate progress toward full compliance

SPRS Submission Support

Organizations must submit their NIST 800-171 assessment scores to the Supplier Performance Risk System (SPRS). Kiteworks supports this by:

  • Generating assessment documentation for SPRS submission
  • Tracking score improvements over time as additional controls are implemented
  • Providing evidence for the highest achievable assessment methodology (Level 3 - High)
  • Supporting the System Security Plan (SSP) required for SPRS submission

By implementing Kiteworks, organizations handling CUI can address the majority of NIST 800-171 requirements through a single platform, significantly reducing the complexity and cost of achieving and maintaining compliance.